HQ/EMEAFind out how we can help your business
The new malicious Python package on the Python Package Index (PyPI) repository, called onyxproxy, uses a new technique to bypass security detections and launch information-stealing malware.
Based on reports, the newly discovered malicious package was available on PyPI earlier this month. The package includes several capabilities that could allow its operators to collect and exfiltrate credentials and troves of data.
Unfortunately, the package has already attracted more than 150 downloads before its removal from the repository. According to a software chain researcher, the package combines infectious behaviour in a setup script with thousands of seemingly legitimate code strings.
In addition, the code strings include a combination of bold and italic fonts that remain readable despite their font inconsistency. Hence, the Python interpreter could still decode the line and activate the execution process of the stealer malware.
The stealer malware could only appear after the installation of the malicious package.
The onyxproxy package exploits the Unicode technique to its maximum potential, which helps it from executing its attack.
The recent investigation revealed that the onyxproxy operators’ primary weapon for infection is readability. Using Unicode has allowed them to bypass security solutions and avoid analysis.
In addition, the visible differences have allowed the package to operate still while confusing security solutions with its unique coding.
Furthermore, the Unicode variants that appeared on the same character have disguised the package’s malicious intent. Hence, other threat actors could adopt the same method soon.
The Unicode capability that injects flaws into source codes first emerged in a study at Cambridge University. The researchers called the attack strategy a Trojan Source, suddenly becoming a primary weapon for malicious actors.
The Unicode technique used by the onyxproxy operators lacks sophistication compared to other malicious packages. However, it still has a novel hidden code with signs of identical work from other sources.
This recent campaign shows malicious PyPI package developers continue creating new strategies to bypass security defences. Therefore, users should review the desired packages before acquiring them from these repositories.
