Threat actors launch zero-day attack against Python Package Index (PyPI) packages

Researchers have discovered threat actors launching a zero-day attack against packages in the Python Package Index (PyPI) repository.

According to FortiGuard Labs, malware authors going by the names ‘Portugal’ and ‘Brazil’ published the malicious packages ‘xhttpsp’ and ‘httpssp’.

After monitoring an open-source ecosystem, the security firm discovered the packages on January 31, 2023 after the packages were published shortly before on January 27, 2023.

After analyzing the code, FortiGuard found the malicious code in the setup.py installation script.

Moreover, the researchers found the developers use complex, multi-layers of obfuscation.

“With just a simple copy and paste of a brief code, malware authors are able to easily distribute malicious packages to steal or exfiltrate sensitive data through platforms such as Discord and Telegram,” FortiGuard wrote in a blog post.

“A good indication of a malicious package is when a lot of obfuscation is involved. This technique is quite common among malware authors, so it may be a wise idea for Python end users to check twice for this before using new packages,” the company added.

On a similar note, readers may recall back in August of 2021 when researchers discovered malicious software packages from PyPl stealing payment card numbers and injecting code.

JFrog researchers found multiple malicious packages that they estimated had been downloaded 30,000 times. PyPl promptly removed the compromised packages after being notified by JFrog.

One of the packages dubbed noblesse included a payload that contained a Discord token stealer and credit card stealer that is Windows-based.

Related Articles