4 Min Read
Python coiled up on a branch
Source: Ernie James via Alamy Stock Photo

Japanese cybersecurity officials warned that North Korea's infamous Lazarus Group hacking team recently waged a supply chain attack targeting the PyPI software repository for Python apps.

Threat actors uploaded tainted packages with names such as "pycryptoenv" and "pycryptoconf" — similar in name to the legitimate "pycrypto" encryption toolkit for Python. Developers who get tricked into downloading the nefarious packages onto their Windows machines are infected with a dangerous Trojan known as "Comebacker."

"The malicious Python packages confirmed this time have been downloaded approximately 300 to 1,200 times," Japan CERT said in a warning issued late last month. "Attackers may be targeting users' typos to have the malware downloaded."

Gartner senior director and analyst Dale Gardner describes Comebacker as a general purpose Trojan used for dropping ransomware, stealing credentials, and infiltrating the development pipeline.

Comebacker has been deployed in other cyberattacks linked to North Korea, including an attack on an npm software development repository.

"The attack is a form of typosquatting — in this case, a dependency confusion attack. Developers are tricked into downloading packages containing malicious code," Gardner says.

The latest attack on software repositories is a type that has surged over the last year or so.

"These types of attacks are growing rapidly — the Sonatype 2023 open source report revealed 245,000 such packages were discovered in 2023, which was twice the number of packages discovered, combined, since 2019," Gardner says.

Asian Developers "Disproportionately" Affected

PyPI is a centralized service with a global reach, so developers worldwide should be on alert for this latest campaign by Lazarus Group.

"This attack isn't something that would affect only developers in Japan and nearby regions," Gardner points out. "It's something for which developers everywhere should be on guard."

Other experts say non-native English speakers could be more at risk for this latest attack by the Lazarus Group.

The attack "may disproportionately impact developers in Asia," due to language barriers and less access to security information, says Taimur Ijlal, a tech expert and information security leader at Netify.

"Development teams with limited resources may understandably have less bandwidth for rigorous code reviews and audits," Ijlal says.

Jed Macosko, a research director at Academic Influence, says app development communities in East Asia "tend to be more tightly integrated than in other parts of the world due to shared technologies, platforms, and linguistic commonalities."

He says attackers may be looking to take advantage of those regional connections and "trusted relationships."

Small and startup software firms in Asia typically have more limited security budgets than do their counterparts in the West, Macosko notes. "This means weaker processes, tools, and incident response capabilities — making infiltration and persistence more attainable goals for sophisticated threat actors."

Cyber Defense

Protecting application developers from these software supply chain attacks is "difficult and generally requires a number of strategies and tactics," Gartner's Gardner says.

Devs should exercise increased caution and care when downloading open source dependencies. "Given the amount of open source used today and the pressures of fast-paced development environments, it's easy for even a well-trained and vigilant developer to make a mistake," Gardner warns.

This makes automated approaches to "managing and vetting open source" an essential protective measure, he adds.

"Software composition analysis (SCA) tools can be used to evaluate dependencies and can help in spotting fakes or legitimate packages that have been compromised," Gardner advises, adding that "proactively testing packages for the presence of malicious code" and validating packages using package managers also can mitigate risk.

"We see some organizations establishing private registries," he says. "These systems are supported by processes and tools that help vet open source to ensure it's legitimate" and doesn't contain vulnerabilities or other risks, he adds.

PyPI No Stranger to Danger

While developers can take steps to lower exposure, the onus falls on platform providers like PyPI to prevent abuse, according to Kelly Indah, a tech expert and security analyst at Increditools. This is not the first time malicious packages have been slipped onto the platform.

"Developer teams in every region rely on the trust and security of key repositories," Indah says. "This Lazarus incident undermines that trust. But through enhanced vigilance and a coordinated response from developers, project leaders, and platform providers, we can work together to restore integrity and confidence."

About the Author(s)

John Leyden, Contributing Writer

John Leyden is an experienced cybersecurity writer, having previously written for the Register and Daily Swig.

Image source: Dorota Szymczyk via Alamy Stock Photo

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights