It's been a while since we've heard about malware hidden in PyPI packages, but researchers have now reported finding nearly a dozen lurking in the open source Python Package Index (PyPI) repository.
Cybersecurity researchers at Fortinet's FortiGuard Labs found nine packages delivering WhiteSnake Stealer. The packages are called nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends and TestLibs111. WhiteSnake is a Windows information stealer, capable of bypassing antivirus programs and communicating with the C2 server through the Tor protocol, the researchers explained.
Its main function is to steal information from compromised endpoints and execute various commands. The information you are looking for is mainly data from web browsers, cryptocurrency wallets and browser add-ons, and important applications such as Discord, Signal, Telegram and the like.
Eyes on cryptocurrencies
Some of the packages were also observed to carry a more advanced version of the malware that also comes with a clipboard monitor and an overwrite feature. This feature is designed to aid in cryptocurrency theft, as people who want to send their tokens from one address to another will almost always copy and paste the receiving address, rather than typing it. With this malware, attackers can replace the copied wallet address with one that belongs to them, causing the victim to send their funds to the wrong address.
PyPI is one of the largest and most popular Python package repositories in the world. As such, it is a frequent target of threat actors who primarily do two things: create an entirely new malicious package or engage in typos: create a package similar to a legitimate one and name it almost exactly the same. That way, developers can install the malicious program by mistake.
Developers are urged to be vigilant when using PyPI and similar services and always make sure to download a legitimate package. They should keep an eye out for strange typos, inconsistent download numbers, and user reviews.
Via The Hacker News
