An unknown threat actor has been observed publishing typosquat packages to the Python Package Index (PyPI) repository for nearly six months with an aim to deliver malware capable of gaining persistence, stealing sensitive data, and accessing cryptocurrency wallets for financial gain.
The 27 packages, which masqueraded as popular legitimate Python libraries, attracted thousands of downloads, Checkmarx said in a new report. A majority of the downloads originated from the U.S., China, France, Hong Kong, Germany, Russia, Ireland, Singapore, the U.K., and Japan.
"A defining characteristic of this attack was the utilization of steganography to hide a malicious payload within an innocent-looking image file, which increased the stealthiness of the attack," the software supply chain security firm said.
Some of the packages are pyefflorer, pyminor, pyowler, pystallerer, pystob, and pywool, the last of which was planted on May 13, 2023.
A common denominator to these packages is the use of the setup.py script to include references to other malicious packages (i.e., pystob and pywool) that deploy a Visual Basic Script (VBScript) in order to download and execute a file named "Runtime.exe" to achieve persistence on the host.
Embedded within the binary is a compiled file that's capable of gathering information from web browsers, cryptocurrency wallets, and other applications.
An alternate attack chain observed by Checkmarx is ..
Support the originator by clicking the read the rest link below.