HQ/EMEAFind out how we can help your business
The Python Package Index (PyPI) has temporarily suspended new user registrations and created fresh projects to address the increasing number of malware campaigns against it since it has become a primary target for various threat actors.
Hackers frequently use this platform to upload deceptive or face packages to infect and compromise software developers and potentially instigate supply-chain attacks.
Earlier this week, PyPI admins announced the suspension of new user registrations to counteract the surge in malicious activities. This decision follows a concerning report from recent research, revealing that threat actors initiated uploading 365 packages to PyPI, posing as legitimate projects.
These malicious packages contain hostile code attached within the ‘setup.py’ file, which activates upon installation, aiming to recover additional payloads from remote servers.
In addition, these campaigns encrypt malicious code using the Fernet module, and the URL of the remote resource is dynamically generated to bypass detection solutions. Subsequently, the final payload is an information stealer malware with persistence capabilities, targeting valuable data stored in web browsers, including login credentials, cookies, and cryptocurrency extensions.
Numerous malicious packages have plagued PyPI for the past couple of years, prompting the repository to place such suspension.
A recent study has published a comprehensive list of the malicious entries discovered in PyPI by different researchers in the past few months. These campaigns featured numerous typosquatting variants of genuine packages.
However, the researchers noted that the scale of the threat is even more significant since threat actors deployed over 500 malicious packages in two phases. Additionally, each package came from distinct maintainer accounts, showing the sophisticated automation of threat actors in orchestrating the attack.
Furthermore, each maintainer account uploaded only one package, suggesting a systematic approach to the attack strategy. The researchers note that all entries share identical version numbers, contain the same malicious code, and feature randomly generated names, emphasising the deliberate attempt to hide the campaign.
These malicious PyPI operations are the signs that software developers should rigorously authenticate and verify packages and the security of components sourced from open-source repositories.
Repositories are in constant battle with continually evolving cybercriminal campaigns. Therefore, developers should take proactive measures that help safeguard against malicious infiltrations and protect the integrity of software ecosystems.
