About PyPI Packages
It has become a kind of whack-a-mole drill, taking out malicious codes only to find more taking its place. In the disclosure of last week, Check Point researchers discovered Trojanized packages imitating authentic components, it contained droppers for data stealing malware.
This compelled Kaspersky researchers to further investigate the open source repository, which resulted in finding two more rogue offerings, known as "pyrequests" and "ultrarequests," that turned out to be one of the most famous popular packages in PyPI (simply known as "requests").
How did the attack happen?
Checkpoint says "Pypi has over 612,240 active users, working on 391,325 projects, with 3,664,724 releases.What many users are not aware is the fact that this one liner simple command can put them at an elevated risk. The pip install command triggers a package installation which can include a setup.py script."
The threat actor used a description of authentic "requests" package to fool victims into downloading harmful ones. The description includes false faked stats, saying the package was installed more than 230 million times in a month, having more than 48,000 stars on GitHub.
The project description also hints towards web pages of legitimate requests package, along with the author's email. All mentions of orginal requests package have been interchanged with the names of malicious ones.
Attackers target Discord and Roblox
When installed, it results in a W4SP Stealer infection, via which actors can extract Discord tokens, passwords, and saved cookies from browsers in seperate threads.
Whereas, experts at Snyk earlier this week released findings about around 12 malicious PyPI packages that steal Discord and Roblox users' login credentials and payment details. Kyle Suero, Snyk's leading researcher, the malware also tries to steal Google Chrome data or pilfer passwords and bookmarks from Windows systems, pivoting through all the accounts.
"Another interesting thing about this malware is that it is actually using Discord resources to distribute executables. Although this practice is not new, seeing cdn.discord.com tipped off our security researchers. The binaries are pulled down to the host via the Discord CDN," says Snyk.
The malicious packages have been wiped out from PyPI, but they don't have any idea about the number of times they were downloaded prior to that. Code repository attacks keep rising, as per ReversingLabs, attacks on npm and PyPI have collectively spiked from 259 in 2018 to 1,010 in 2021 — a 290% increase.
"If we keep ignoring the core problem, that is trusting the code, we can't handle software supply chain security," says Tomislav Peričin, co-founder and chief software architect at ReversingLabs in the report.