A malicious Python backdoor has been discovered by researchers in the PyPI registry operating a supply chain attack. These newly discovered attacks aim to deploy backdoors and Cobalt Strike beacons in different OSs such as Windows, Linux, and macOS.
The threat actors launched a malicious package coded as ‘pymafka’ in the PyPI. The name is almost identical to an Apache client called PyKafka. This client is well-known to many users as it is downloaded more than four million downloads on the PyPI registry.
The intentionally mistyped package has reached more than 300 people and might have caused damage to those infected as it provides initial access to the internal network of the developer.
Fortunately, ‘pymafka’ was deleted by security researchers after threat analysts reported it. Through this method, the attack gives the threat actors initial access to the developer’s network for navigating laterally across the system and stealing data. The attack can also put additional malware or deploy ransomware attacks.
The threat actors needed a hostile script to start deploying the Python backdoor.
A separate researcher believed that the Python infection initiates by executing the ‘setup[.]py’ script that they have seen inside the malicious package. Additionally, the script will identify the operating system of the infected devices to download a corresponding payload, such as Python.
The Cobalt Strike beacon is the corresponding payload launched by the script for Windows and macOS systems. The Cobalt Strike beacon can provide remote access to the compromised systems. It also beacons fileless shellcode agents that are not easily detectable by security solutions.
For Linux systems, the Python script links to a remote URL. The payload in the Linux system also pipes the bash shell from the output. However, it is still not identified what commands are run by the threat actors. Moreover, researchers assume that it can open a reverse shell.
Software developers should be mindful of typo-squatted packages and misspelt names while leveraging software libraries for their applications. Experts also elaborated that they should examine package names and details and ensure the options for their building blocks.
