Malicious PyPI software packages found stealing payment card numbers and injecting code

Security researchers have discovered malicious software packages from Python’s official third party software package repository PyPl stealing payment card numbers and injecting code.

JFrog researchers found multiple malicious packages that they estimated have been downloaded 30,000 times. PyPl (short name for Python Package Index) promptly removed the compromised packages after being notified by JFrog.

According to the report, one of the packages dubbed noblesse includes a payload that contains a Discord token stealer and credit card stealer that is Windows-based.

In addition, five other packages (genesisbot, aryi, suffer, noblesse2, and noblessev2) also are designed to steal tokens and payment card numbers. Two other packages (pytagora and pytagora2) can execute remote code.

All of the packages use obfuscation techniques to try to hide itself from static analysis scanners. For example, each can encode Python text with some simple encoder (e.g., Base64) or evaluate the decoded text as code, using eval.

Developers should always be suspicious of Python modules installed on systems, especially if they require root privileges. JFrog provided guidance and methods for developers to automatically detect malicious packages like these and further prevent supply chain attacks.

Last year, the National Security Agency (NSA) also released guidelines to help organizations mitigate cloud vulnerabilities, one of those being cloud supply chain attacks. The NSA specifically called out PyPl attack in late 2019 and also the ShadowHammer attack in 2018. As part of the latter threat, cybercriminals hijacked ASUS Live Update and downloaded a back-doored version to thousands of ASUS PCs.

The NSA warned that inside attackers or agents could insert themselves into the cloud supply chain. As a result, a supplier, administrator or developer could compromise cloud environments as part of nation state attack.

Related Articles