Whack-a-Mole: More Malicious PyPI Packages Spring Up Targeting Discord, RobloxWhack-a-Mole: More Malicious PyPI Packages Spring Up Targeting Discord, Roblox
Just as one crop of malware-laced software packages is taken down from the popular Python code repository, a new host arrives, looking to steal a raft of data.
August 16, 2022
Just a week after 10 malicious software packages were found nesting in the Python Package Index (PyPI) repository, several more have come to light, uncovered by different firms. It's becoming a bit of a whack-a-mole exercise, snuffing out bad code only to find more taking its place.
In last week's disclosure, researchers at Check Point found Trojanized packages mimicking popular legitimate components, containing droppers for information-stealing malware. That prompted Kaspersky analysts to scour the open source repository further, which led to the discovery of two more rogue offerings, dubbed "pyrequests" and "ultrarequests," that purported to be one of the most popular packages in PyPI (which is simply named “requests“).
"The attacker used a description of the legitimate 'requests' package in order to trick victims into installing a malicious one," according to Kaspersky's Tuesday analysis. "The description contains faked statistics, as if the package was installed 230 million times in a month and has more than 48,000 stars on GitHub. The project description also references the web pages of the original requests package, as well as the author’s email. All mentions of the legitimate package's name have been replaced with the name of the malicious one."
If installed, the result is a W4SP Stealer infection, through which attackers can steal Discord tokens, saved cookies, and passwords from browsers in separate threads.
Meanwhile, researchers at Snyk on Tuesday published findings around a dozen malicious PyPI packages aimed at stealing Discord and Roblox users’ credentials and payment info. According to Kyle Suero, Snyk's lead researcher on the report, the malware will also attempt to steal Google Chrome data or pilfer passwords and bookmarks from Windows machines to pivot throughout all accounts.
All of the offending packages have been removed from PyPI; however, it's unclear how many times they were downloaded before that.
"As long as we keep ignoring the core of the problem — which is how do you trust code — we are not handling software supply chain security," said Tomislav Peričin, co-founder and chief software architect at ReversingLabs, said in a recent report.
About the Author(s)
You May Also Like
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What's In Your Cloud?Nov 30, 2023
Everything You Need to Know About DNS AttacksNov 30, 2023