Researchers have discovered over two dozen Python packages on the PyPI registry that are pushing info-stealing malware.
Most of these contain obfuscated code that drops “W4SP” info-stealer on infected machines, while others make use of malware purportedly created for “educational purposes” only.
31 typosquats drop ‘W4SP’ info-stealer
Researchers have identified over two dozen Python packages on the PyPI registry that imitate popular libraries but instead drop info-stealers after infecting machines.
The packages, listed below, are typosquats—that is, threat actors publishing these have intentionally named them similar to known Python libraries in hopes that developers attempting to fetch the real library make a spelling error and inadvertently retrieve one of the malicious ones.
Software supply chain security firm Phylum revealed 29 packages in its report published yesterday:
Taking ‘typesutil’ as an example, Phylum researchers explained how the threat actor was injecting malicious code via the “__import__” statement into “otherwise healthy codebase” borrowed from legitimate libraries, a theme we’ve repeatedly seen before.
“…This particular attack starts by copying existing popular libraries and simply injecting a malicious __import__ statement into an otherwise healthy codebase,” write Phylum researchers.
“The benefit this attacker gained from copying an existing legitimate package, is that because the PyPI landing page for the package is generated from the setup.py and the README.md, they immediately have a real looking landing page with mostly working links and the whole bit. Unless thoroughly inspected, a brief glance might lead one to believe this is also a legitimate package.”
In the report, the researchers explain in great detail the challenges they faced while analyzing the obfuscated code spanning over 71,000 characters which was “quite a bit of mud” they had to trudge through.
Ultimately, the researchers concluded that the malware dropped by these packages was W4SP Stealer that exfiltrates your Discord tokens, cookies and saved passwords.
All of the packages put together have been downloaded over 5,700 times based on Pepy.tech stats, report Phylum researchers.
In August, Kaspersky Securelist researchers had also analyzed malicious PyPI packages which, much like these, were obfuscated with open source tool called Hyperion and caught dropping W4SP.
Type me once, read me twice!
Additionally, software developer and researcher Hauke Lübbers came across PyPI packages “pystile” and “threadings” containing malware that labeled itself “GyruzPIP.”
According to the researcher, however, this malware is based on an open source project called evil-pip published for “educational purposes only.”
Two malicious #python packages reported to @pypi: “pystile” and “threadings”. Both make use of the open source “educational malware” EvilPIP, but are calling themselves “GyruzPIP Malware”.
— Hauke Lübbers (@streamlin3d) November 1, 2022
BleepingComputer observed the code contained within these two typosquats was much simpler to analyze: with each function name clearly stating its intended purpose, e.g. stealing Chrome passwords, browser cookies, Discord tokens, and uploading all of this data to a Discord webhook.
Lübbers, who has reported these packages to PyPI admins, told BleepingComputer that these projects would likely need to be included as dependencies in a program for them to exhibit malicious behavior.
He pointed us to two test repositories [1, 2] purportedly created by the malware authors and also reported these to GitHub.
This week’s development marks another incident among a series of typosquatting attacks targeting developers while leveraging open source software distribution platforms like PyPI and npm.