- A single typographic error could allow computer pirates to hesitate their system with hidden malware in false packages
- Multiplatform malware now even dumb the experienced developers imitating the names of open source packages
- The attackers are exploiting the developer's confidence with stealthily useful loads that dodge malware protection tools
A new attack chain attack has revealed how something as harmless as a typographic error can open the door to serious cybersecurity threats, experts warned.
A checkmarx report states that malicious actors are using intelligent tricks to deceive developers to download false packages, which can give the computer pirates control their systems.
The attackers are mainly directed to Colorama users, a popular Python package, and Colorizr, a similar tool used in JavaScript (NPM).
Misleading packages and the threat of typographic errors
“This campaign is addressed to Python and NPM users in Windows and Linux through attacks with typesquatting and confusion name,” said Ariel Harush, a checkmarx researcher.
The attackers use a technique called type of type. For example, instead of “coloama”, a developer could accidentally write “Col0rama” or “Coloamaa” and download a harmful version.
These false packages were loaded into the Pypi repository, which is the main source of Python libraries.
“We have found Malicious Python (PyPI) packages as part of a campaign to write a type of insult. Malicious packages allow remote control, persistence, etc.,” said Darren Meyer, defender of Checkmarx's security investigation.
What makes this campaign unusual is that the attackers mixed names of different ecosystems, using NPM world names (JavaScript) to deceive Python users.
This multiplatform orientation is rare and suggests a more advanced and potentially coordinated strategy.
Useful Windows and Linux charges have similar load times and names, but use different tools, tactics and infrastructure, which means that they may not be from the same source.
Once installed, false packages can cause serious damage: in Windows systems, malware creates scheduled tasks to maintain persistence and harvesting variables, which could include confidential credentials.
It also tries to disable even the best antivirus software using Powershell commands as set -mpreference -DisableioAvprotection $ True.
In Linux systems, packages such as Colorizator and Coloraiz have useful loads encoded to create encrypted inverse layers, communicate through platforms such as Telegram and Discord, and exfilt data to services such as Pastebin.
These scripts are not executed at once; They are designed for stealth and persistence, using techniques such as disguising core processes and editing RC.Local and Crontabs for automatic execution.
Although malicious packages have been eliminated from public repositories, the threat is far from finishing.
Developers must be very careful when installing packages because even the best final point protection platforms fight with these evasive tactics. Always check the spelling twice and make sure the package comes from a reliable source.
Checkmarx recommends that organizations audit all the implemented and deployable packages, proactively examine the application code, analyze private repositories and block known malicious names.