Two more malicious Python Libraries discovered on the PyPI repository

Just days after the security researchers from Israeli cybersecurity firm Check Point discovered ten malicious packages on the Python Package Index (PyPI), two more malicious Python packages were discovered in the public code repository for the Python programming language used by Python developers.

 

The two additional packages were found by Kaspersky, who posted an advisory describing that both packages were masquerading as one of the most popular open-source packages on PyPI.

 

According to Kaspersky, the attacker used a description of the legitimate "requests" package to trick victims into installing a malicious package. Additionally, the description included fabricated data that claimed the package had received more than 48,000 "stars" on GitHub and had been installed 230 million times in a single month.

 

According to Kaspersky, the project description also refers to the author’s email and the web pages of the original "requests" package. The name of the malicious package has been used in place of every instance of the name of the legitimate package, it continued.

 

Except for one file called exception.py, the malicious packages’ code was remarkably similar to that of the legitimate "requests" package. The modified version delivered the script’s malicious payload, dated July 30, the day the malicious package was published.

 

The script creates a temporary file and runs a second one-line Python script inside it using the system.start() function. According to Kaspersky, the subsequent stage script is downloaded by that one-line script.

 

The subsequent attack stage would then rely on a downloader that was obfuscated using the publicly accessible tool Hyperion, which would then distribute the payload for the final stage that included a script that would allow it to persist on the infected machine. The final payload is a Python Trojan that uses the same obfuscator as the downloader and is dubbed "W4SP Stealer" by its creator in the code.

 

The malware can steal IP addresses and use cryptography to crack browser cookies and passwords. Following the initial infection, the Trojan begins gathering passwords from browsers, saved cookies, and Discord tokens in separate threads. The injected script observes the victim’s actions, such as changing their email address, password, or billing information. The Discord channel is also informed of the updated information. Kaspersky concluded the report by stating that it informed the Snyk Vulnerability Database and PyPI security team about the two packages.