The Python Package Index (PyPI) has implemented a temporary halt on user registrations and the creation of new projects due to an ongoing malware scheme. PyPI serves as a central hub for Python projects, aiding developers in discovering and installing Python packages.
With a vast array of packages available, PyPI becomes an attractive target for malicious actors who often upload counterfeit or fraudulent packages, posing risks to software developers and potentially initiating supply-chain attacks. Consequently, PyPI administrators recently announced the suspension of new user registrations to address this malicious activity.
According to a report by Checkmarx, cyber threat actors began uploading 365 packages to PyPI, masquerading as legitimate projects. These packages contain malicious code within their 'setup.py' files, which triggers upon installation, attempting to retrieve additional harmful payloads from remote servers.
To avoid detection, the malicious code encrypts using the Fernet module, with the remote server's URL dynamically generated as required. The ultimate payload includes an information-stealing mechanism with persistent capabilities, targeting data stored in web browsers such as login credentials, cookies, and cryptocurrency extensions.
Checkmarx has published a comprehensive list of identified malicious entries, featuring numerous typosquatting variants of genuine packages. However, Check Point researchers reveal that the list of malicious packages exceeds 500 and was deployed in two phases. Each package originated from unique maintainer accounts with distinct names and email addresses.
The researchers note that each maintainer account uploaded only one package, suggesting the use of automation in orchestrating the attack. All entries shared the same version number, contained identical malicious code, and displayed randomly generated names.
This incident underscores the critical importance for software developers and package maintainers to rigorously verify the authenticity and security of components sourced from open-source repositories. Notably, this is not the first time PyPI has taken aggressive measures to protect its community from malicious submissions. Similar actions were taken on May 20 last year.