JFrog researchers discovered 11 new malware packages hiding in the PyPI open-source repository. In a blogpost Thursday, they list each package, # of downloads, detection indicators and describe their function. JFrog had reported in July finding malicious PyPI packages that had been downloaded more than 30,000 times, designed to steal credit card data and inject malicious code onto networks. This new report discusses new discoveries with more sophisticated methods of evading detection.
- importantpackage – Connectback shell with novel exfiltration
- HTTP-based command & control using TrevorC2
- ipboards & pptest – Exfiltration via DNS-tunneling
- owlmoon and DiscordSafety – Trojans that Hijack Discord Tokens
- Bug-bounty-seeking “malware” packages
While this set of malicious packages may not have the same ‘teeth’ as their previous discoveries, what’s notable is the increasing level of sophistication with which they are executed. There is a lot more subterfuge going on with these packages, and some of them may even be setting up for a follow-up attack after the initial reconnaissance, instead of running a highly-compromising payload to start.
Saryu Nayyar, CEO, Gurucul (she/her) had this to say:
As if there wasn’t enough malware hiding in open-source projects, JFrog researchers have found 11 more packages in the PyPl open source repository. These malware packages are designed to steal credit card data and/or inject code into systems and networks, opening up holes in software to be able to be exploited by subsequent attacks.
Attackers are getting more sophisticated and more brazen with their malware, using techniques to hide the end result of its execution. As malware grows in its complexity and impact, enterprises need to match this sophistication with tools to enable their SOC and IT staffs to have a chance of successfully combating these packages.
Clearly threat actors are upping their game, which means that the response has match that in order to avoid any sort of compromise.
External Link: PyPi – Malware Pkgs Downloaded More Than 41,000 Times