Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label PyPI Package. Show all posts

Unmasking the Surge of Malicious NPM and PyPI Packages

Cyberattacks originating from malicious packages on widely used software repositories like NPM and PyPI have increased significantly recently, as seen in the cybersecurity landscape. Due to the abundance of libraries and modules that they host, these platforms are essential tools for developers. They speed up the development process. Alarm bells have, however, gone off in the tech community due to an increase in fraudulent parcels.

According to reports, these repositories have been infiltrated by a steady supply of malicious packages, leaving developers who aren't vigilant for risks online exposed. These packages' attackers have demonstrated an astounding level of intelligence, using a number of evasion techniques.

These malicious packages, according to a recent analysis by cybersecurity specialists, have been skillfully created to look like legitimate ones, frequently utilizing names and descriptions that closely resemble well-known libraries. They are able to evade detection thanks to this camouflage, which makes it more difficult for developers to discern between legitimate and harmful services.

SSH keys were stolen in one well-known instance using a number of malicious PyPI and NPM packages. The attackers injected code that exfiltrated private information from unwary users by taking advantage of flaws in the repositories. There have been urgent requests for increased security measures on social platforms as a result of this tragedy.

The repercussions of falling for these deceitful goods might be dire. Developers who unwittingly incorporate them into their applications run the danger of opening up crucial systems to unauthorized access, data breaches, and other nefarious acts. In addition to end users' safety, this compromises the integrity of the affected apps.

Both the cybersecurity community and those that administer these repositories are stepping up their efforts to put effective security measures in place to counter this growing threat. Some of the tactics used to quickly detect and eliminate dangerous content include ongoing monitoring, automated scanning, and careful package vetting.

Developers should carefully select and incorporate third-party packages into their projects to mitigate the risk of malicious packages. Verifying the legitimacy of a package by checking its source, history, and popularity can help.

The surge of malicious packages on platforms like NPM and PyPI underscores the evolving nature of cyber threats. The tech community is working to fortify these repositories, but developers must remain vigilant and adopt best practices to protect their projects and the wider ecosystem from potential breaches. Collective vigilance and proactive measures are essential to curb this growing menace.

This Fraudulent ‘SentinelOne’ PyPI Package Steals Data from Developers

 

Researchers discovered criminals spoofing a well-known cybersecurity firm in an attempt to steal data from software developers. ReversingLabs researchers recently discovered a malicious Python(opens in new tab) package called "SentinelOne" on PyPI. 

The package, named after a well-known cybersecurity firm in the United States, masquerades as a legitimate SDK client, enabling easy access to the SentinelOne API from within a separate project. 

However, the package also includes "api.py" files that contain malicious code and allow threat actors to steal sensitive data from developers and send it to a third-party IP address (54.254.189.27). Bash and Zsh histories, SSH keys,.gitconfig files, hosts files, AWS configuration information, Kube configuration information, and other data are being stolen.

According to the publication, these folders typically store auth tokens, secrets, and API keys, granting threat actors additional access to target cloud services and server endpoints.

Worse, the package does provide the functionality that the developers expect. In reality, this is a hijacked package, which means that unsuspecting developers may use it and become victims of their own ignorance. The good news is that ReversingLabs confirmed the package's malicious intent and had it removed from the repository after reporting it to SentinelOne and PyPI.

The malicious actors were very active in the days and weeks leading up to the removal. The package was first submitted to PyPI on December 11, and it has been updated 20 times in less than a month.The researchers discovered that one of the issues fixed with an update was the inability to exfiltrate data from Linux systems.

The researchers concluded that it is difficult to say whether anyone fell for the scam because there is no evidence that the package was used in an actual attack. Nonetheless, all of the published versions were downloaded over 1,000 times.

An Active Typosquat Attack in PyPI and NPM Discovered

The typosquatting-based software supply chain threat, which targets explicitly Python and JavaScript programmers, is being warned off by Phylum security researchers.

What is Typosquatting?

Cybercriminals that practice typosquatting register domains with purposeful misspellings of the names of popular websites. Typically for malevolent intentions, hackers use this tactic to entice unwary users to other websites. These fake websites could deceive users into inputting private information. These sites can seriously harm an organization's reputation if attacked by these perpetrators. 

PYPI &NPM

Researchers alerted developers to malicious dependencies that contained code to download Golang payloads on Friday, saying a threat actor was typosquatting well-known PyPI packages. 

The Python Software Foundation is responsible for maintaining PyPI, the largest code repository for the Python programming language. Over 350,000 software programs are stored there. Meanwhile, NPM, which hosts over a million packages, serves as the primary repository for javascript programming. 

About the hack

The aim of the hack is to infect users with a ransomware variant. A number of files with nearly identical names, like Python Requests, are being used by hackers to mimic the Python Requests package on PyPI.

After being downloaded, the malware encrypts files in the background while changing the victim's desktop wallpaper to a picture controlled by the hacker, and looks like it came from the CIA.

When a Readme file created by malware is opened, a message from the attacker requesting $100, usually in a cryptocurrency, for the decryption key is displayed. 

The malware used is referred to as W4SP Stealer. It is able to access a variety of private information, including Telegram data, crypto wallets, Discord tokens, cookies, and saved passwords. 

One of the binaries is ransomware, which encrypts specific files and changes the victim's desktop wallpaper when executed. However, soon the malicious actors published numerous npm packages with identical behaviors. For the decryption key, they demand $100 in Bitcoin, XMR, Ethereum, or Litecoin.

Each of the malicious npm packages, such as discordallintsbot, discordselfbot16, discord-all-intents-bot, discors.jd, and telnservrr, contains JavaScript code that acts identical to the code embedded in the Python packages. 

Louis Lang, chief technology officer at Phylum, predicts a rise in harmful package numbers. These packages drop binaries, and the antivirus engines in VirusTotal identify these binaries as malicious. It is advised that Python and JavaScript developers adhere to the necessary cybersecurity maintenance and stay secure. 



PyPI Alerts of First-ever Phishing Campaign Against its Users

 

The Python Package Index, PyPI, issued a warning this week about an ongoing phishing campaign aimed at stealing developer credentials and injecting malicious updates into the repository's packages.

“Today we received reports of a phishing campaign targeting PyPI users. This is the first known phishing attack against PyPI.” states the warning.

The phishing messages are intended to trick recipients into clicking a link in order to comply with a new Google mandatory validation process for all packages. Recipients are urged to complete the validation process by September to avoid having their packages removed from PyPI.

When users click the link, they are taken to a Google Sites landing page that looks similar to PyPI's login page. After obtaining the user account credentials, the attackers were able to push malicious updates to legitimate packages.

“The phishing attempt and the malicious packages are linked by the domain linkedopports[.]com, which appears in the malicious package code and also functions as the location to which the phishing site tries to send the stolen credentials.” reads the analysis published by Checkmarx.

This campaign's malicious packages attempt to download and execute a file from the URL hxxps:/python-release[.]com/python-install.scr. The packages had a low detection rate at the time of discovery; the malicious code is digitally signed and unusually large (63MB) in an attempt to evade AV detection).

The researchers also discovered another domain associated with this attacker's infrastructure, "ledgdown[.]com," which was registered under the same IP address. This domain masquerades as the official website of the cryptocurrency assets app "ledger live."
`
“This is another step in the attacks against open source packages and open source contributors.” concludes the post. “We recommend checking your network traffic against the IOCs listed below and as always, encouraging contributors to use 2FA.”

PyPI announced that it is revising its eligibility requirements for the hardware security key programme in the aftermath of the phishing attack. Any maintainer of a critical project, regardless of whether they already have TOTP-based 2FA enabled, it said.

Popular Python and PHP LIbraries Hijacked to Steal AWS Keys

 

A software supply chain assault has compromised the PyPI module 'ctx,' which is downloaded over 20,000 times per week, with malicious versions collecting the developer's environment variables. The threat actor even replaced older, secure versions of 'ctx' with code that gathers secrets like Amazon AWS keys and credentials by exfiltrating the developer's environment variables. 

In addition, versions of a 'phpass' fork released to the PHP/Composer package repository Packagist had been modified in a similar way to steal secrets. Over the course of its existence, the PHPass framework has had over 2.5 million downloads from the Packagist repository—though malicious variants are thought to have received significantly fewer downloads. 

The widely used PyPI package 'ctx' was hacked earlier this month, with newer released versions leaking environment variables to an external server. 'ctx' is a small Python module that allows programmers to manipulate dictionary ('dict') objects in various ways. Despite its popularity, the package's developer had not touched it since 2014, according to BleepingComputer. Newer versions, which were released between May 15th and this week, contained dangerous malware. 

The corrupted 'ctx' package was initially discovered by Reddit user jimtk. Somdev Sangwan, an ethical hacker, also revealed that the PHP package 'phpass' had been infiltrated, with tainted copies of the library taking developers' AWS secret keys. Although the malicious 'ctx' versions have been removed from PyPI, copies acquired from Sonatype's malware archives show the presence of harmful code in all 'ctx' versions. 

It's also worth noting that the 0.1.2 version, which hadn't been updated since 2014, was replaced this week with a malicious payload. Once installed, these versions gather all your environment variables and upload these values to the following Heroku endpoint: https://anti-theft-web.herokuapp[.]com/hacked/. At the time of analysis, the endpoint was no longer active. 

In a similar attack, the fork of 'hautelook/phpass,' a hugely popular Composer/PHP package, was hacked with malicious versions released to the Packagist repository. PHPass is an open-source password hashing framework that may be used in PHP applications by developers. The framework was first released in 2005 and has since been downloaded over 2.5 million times on Packagist. 

This week, BleepingComputer discovered malicious commits to the PHPass project that stole environment variables in the same way. The modified 'PasswordHash.php' file in PHPass looks for the values 'AWS ACCESS KEY' and 'AWS SECRET KEY' in your environment. Following that, the secrets are uploaded to the same Heroku endpoint. The presence of similar functionality and Heroku endpoints in both the PyPI and PHP packages suggests that both hijacks were perpetrated by the same threat actor. 

According to the researchers, the attacker's identity is evident. However, this could have been a proof-of-concept experiment gone wrong, and it would be irresponsible to name the individual behind the 'ctx' and 'phpass' hijack until additional information becomes available. Furthermore, while the malicious PyPI package 'ctx' remained active until later today, the impact of malicious 'PHPass' versions appears to have been far more limited after Packagist co-founder Jordi Boggiano marked the hijacked repository as "abandoned" and advised everyone to use bordoni/phpass instead. 

The hijacking of PyPI package 'ctx' is said to have been caused by a maintainer account compromise, but the true cause has yet to be discovered. The attacker claiming a previously abandoned GitHub repository and reviving it to publish altered 'phpass' versions to the Packagist registry has been ascribed to the hack of hautepass/phpass. 

Security Innovation, a cybersecurity organisation, previously dubbed this type of attack "repo jacking." Intezer and Checkmarx recently produced a joint study based on this research and how it can affect Go projects, termed it "chainjacking." This hijacking comes on the back of a PyPI typosquat being detected deploying backdoors on Windows, Linux, and Macs.