Posts: 13,828
Threads: 9,261
Thanks Received: 8,930 in 7,083 posts
Thanks Given: 9,617
Thanks Received: 8,930 in 7,083 posts
Thanks Given: 9,617
Joined: 12 September 18
20 June 23, 09:17
Quote:
In late 2022 we decided to start monitoring PyPI, arguably the most important Python repository, as there were a number of reports on it hosting malware. PyPI took exceptional relevance amongst all repositories as, historically, it was trusted by default by many software developers. Any security breach or abuse could lead to a large-scale Supply Chain attack.
During our monitoring we were able to identify dozens of suspicious packages, allegedly uploaded by threat actors trying to abuse PyPI. In some cases, attackers poisoned well-known legitimate Python libraries and reuploaded them leveraging typosquatting, such as "pylOpenSSL" mimicking pyOpenSSL. In other cases, they uploaded completely fake packages consisting only of malicious code, such as the scappy library.
Generally speaking, the main target of these attacks appears to be the victim's environment data with a focus on browser’s cookies. In some cases, malicious libraries implemented quite original features, like hijacking crypto wallet addresses in the victim’s clipboard.
In this post we will share insights on PyPi’s suspicious libraries as well as take a closer look at particular campaigns abusing it.
Statistic analysis
We observed that VirusTotal’s historical visibility on PyPi’s packages was far from ideal. Our monitoring system, aimed at fixing this blindspot, analyzed in a few days more packages than VirusTotal’s PyPi historical data.
![[Image: Screenshot%202023-06-19%20at%2020.57.36.png]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjq7C5GfOgx7Drk4vJZTsmEkgPD7tG84B5eltcAjw2ySSvCVMXvx8cGRivn4Bvahvh60on0DNmiCOCd9NKEuRFqS_qXeZ5KUpvETmiQMlX6mffStyY9moT6k52O3FXKM17EGF8b8fA-212erRug4FjYFcLrHwf2FdboEy2q3vv9eBpHrLXjutyIArEG4FQ/s2220/Screenshot%202023-06-19%20at%2020.57.36.png)
We spotted an early batch of suspicious packages, detected by at least one AntiVirus vendor, and confirmed malicious after further detailed analysis. The following chart compares analyzed samples with suspicious ones (detected by at least one AntiVirus) . Please note that this chart uses raw data before additional analysis, meaning it includes both False Positives and False Negatives.
![[Image: Screenshot%202023-06-19%20at%2020.56.02.png]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9MPEmwaLOuKqi6zFsscecVqQHDVX1qyd_nfeDfIfO5zMH29rYsvKiSeAdvzg9hjbKY9EhD084RvZWfe6b0rLSG8iMhgjxhcl5nbyz-KCY3AXtVEkMNTfRw1bJKuusGUatTmhtCsNvwIlgpVJ2xoXQurNpw-iF2jXGurkEbLH30qVMOsJQziyyQN25Kkg/s2214/Screenshot%202023-06-19%20at%2020.56.02.png)
The manual analysis of dozens of malicious files gave us the impression that AntiVirus detection was initially low but it improved as details on malware abusing PyPI became publicly available, increasing awareness. This trend is visible in the following chart where every dot represents the daily average detection ratio for suspicious PyPi packages.
...
Continue Reading
Inside of the WASP's nest: deep dive into PyPI-hosted malware
![[Image: Logo_VT_Horizontal.png]](https://1.bp.blogspot.com/-eNrJ344ipwk/XlaW63OVy9I/AAAAAAAAAF8/anLh0cnZwE8cYShNrki1m_Qm9Jx8Hw-5ACK4BGAYYCw/s1600/Logo_VT_Horizontal.png){kind=logo}
![[-]](https://www.geeks.fyi/images/collapse.png "[-]")
