Threat analysts at SentinelOne and Checkmarx have unearthed the hacker behind the recently launched phishing attacks targeting Python Package Index (PyPI) users.
Earlier this week on Thursday, researchers disclosed that the supply chain attacks were part of a larger campaign aimed at spreading the JuiceStealer credential-stealing malware since late last year.
Initially, JuiceStealer was deployed via a methodology called typosquatting, in which the hacker tracked as JuiceLedger injected PyPI with hundreds of packages that nearly impersonated the names of popular ones, in the hopes that some users would fall into a trap and install them.
The malware was identified on VirusTotal in February when the hacker submitted a Python app that secretly installed the malware. JuiceStealer is developed using the .Net programming framework to steal sensitive data from victims’ browsers.
Based on the data extracted from the code, the researchers have linked the malware to activity that started in late 2021 and has evolved rapidly since then. One likely connection is to Nowblox, a fraud site that claimed to offer free Robux, the online currency for the game Roblox.
Recently, the hacker started employing crypto-themed fake apps such as the Tesla Trading bot, which was deployed in zip files accompanying additional legitimate software.
"JuiceLedger appears to have evolved very quickly from opportunistic, small-scale infections only a few months ago to conducting a supply chain attack on a major software distributor," the researchers wrote in a post. "The escalation in complexity in the attack on PyPI contributors, involving a targeted phishing campaign, hundreds of typosquatting packages, and account takeovers of trusted developers, indicates that the threat actor has time and resources at their disposal."
With account takeover attacks becoming a popular technique for hackers looking to exploit software supply chains, PyPI has started imposing a mandatory two-factor authentication (2FA) requirement for projects deemed "critical." People downloading packages from PyPI—or any other open-source repository—should remain vigilant to ensure the software they're downloading is authentic.
PyPI is by far not the sole code repository that threat actors have exploited recently. Security vendors have reported multiple identical attack incidents involving other widely employed registries such as npm and Maven Central.
“Given the widespread use of PyPI and other open source packages in enterprise environments, attacks such as these are a cause of concern, and security teams are urged to review the provided indicators and take appropriate mitigation measures,” researchers added.