Checkmarx researchers have uncovered a sophisticated campaign in which attackers built credibility within the Python Package Index (PyPI) community to release malware that drains cryptocurrency and steals data.
Just over a month ago, attackers uploaded several non-malicious Python packages, such as 'spl-types', to establish credibility and evade detection of a future attack, via the StackExchange Q&A website.
Just over a week later, the attackers released malicious versions of the packages that embedded obfuscated malware inside the 'init.py' file.
PyPI social hacking?
By first gaining the trust of the community, the hackers were able to deploy automatically executed malware to compromise the systems of unsuspecting victims, exfiltrating data and emptying cryptocurrency wallets.
The attackers posted seemingly helpful answers in popular StackExchange threads, directing users to their malicious package by abusing the trust typical of these platforms.
A backdoor component provided attackers with persistent remote access, allowing for long-term exploitation and further emptying of crypto wallets. The attack primarily targeted those working with the Raydium and Solana cryptocurrencies.
In addition to emptying wallets, the malware also obtained sensitive data such as browser history, saved passwords, cookies, and credit card information. It also attacked messaging apps such as Telegram and Signal to capture screenshots and search for files with specific keywords related to cryptocurrencies and sensitive data.
Given the socially manipulative element of the attack, researchers reaffirm the importance of verifying the authenticity of software packages and maintaining vigilance against potentially harmful forum content.
Additionally, basic cybersecurity measures such as not downloading unknown content, protecting online accounts with strong passwords and two-factor authentication, and keeping software up to date are vital steps to combat the spread of malware.
