On March 29, 2024, the maintainers of the Python Package Index (PyPI) repository briefly suspended new user sign-ups due to an influx of malicious projects uploaded as part of a typosquatting campaign. The suspension was put in place to address a malware upload campaign, which was resolved 10 hours later on March 28, 2024.
Security firm Checkmarx reported that threat actors flooded the repository with typosquatted versions of popular packages in a multi-stage attack aimed at stealing sensitive data and credentials from developers. Mend.io also independently confirmed the presence of over 100 malicious packages targeting machine learning libraries.
This incident highlights the growing trend of open-source repositories being used as attack vectors by threat actors. Typosquatting, a well-known attack technique, was employed to trick users into downloading deceptive variants of legitimate packages. Over 500 packages were uploaded from a unique account, suggesting automation in the process.
Cybersecurity firm Phylum tracked the campaign and identified variations of popular packages being published. The malicious packages targeted Windows operating systems, downloading and executing a payload from an actor-controlled domain.
The malware functions as a stealer, exfiltrating files, tokens, and data from web browsers and cryptocurrency wallets. It also attempts to achieve persistence by downloading a Python script to the Windows Startup folder.
This incident underscores the importance of scrutinizing third-party components to protect against potential threats. PyPI has previously suspended new user registrations in response to malicious activities on the index, emphasizing the ongoing need for vigilance in software supply chain security.
Source link
