A series of malicious packages uploaded to the PyPI registry have been identified as information stealers resembling the popular W4SP stealer. These copycats pose a serious threat to developers who may inadvertently install them, compromising the open-source software supply chain.
The microsoft-helper package on PyPI is a malicious package designed to deploy malware when developers run pip install. It downloads a remote script containing a second-stage payload, which exfiltrates sensitive information through a Discord webhook.
The malicious package reverse-shell on PyPI appears to be part of a global malware-as-a-service (MaaS) initiative. It executes a file from GitHub called bypass.py, which adds an application to the Windows Registry for persistence and launches a malicious script named WindowsDefender.py, designed to exfiltrate sensitive information.
SylexSquad is believed to be responsible for the reverse-shell package and the sophisticated info-stealer malware. The malware can retrieve cookies, take screenshots, run shell commands, steal browsing history, and send the data to the attacker's Discord channel.
An unpatched software bug/vulnerability in an open-source component called Redis led to a data breach at OpenAI. The incident exposed subscribers' payment-related info and users' chat queries and resulted in Italy becoming the first Western country to ban ChatGPT.
The httops package included a payload encoded with base64 with a URL that leads to a website inviting people to download cheats for the video game Grand Theft Auto 5. Users might be inadvertently installing some type of backdoor or remote access trojan (RAT) along with the mods.
Our AI detected a series of information stealers uploaded to the PyPI registry. They resemble W4SP Stealer, a dangerous information stealer that has inspired copycats after their emergence as a means to attack software supply chains in July 2022.
Near the end of February, we tracked a malware campaign involving a threat actor infiltrating the PyPI software registry with thousands of malicious packages. The packages contain a Windows Trojan that downloads second-stage infection from a Dropbox URL.
Our security researchers discovered a harmful Python package called aptX on PyPI designed to perform various detrimental activities, such as dropping malware, deleting the “netstat” utility, and tampering with the SSH authorized_keys file on the system.
Some attackers are designing malware that validates the presence of a virtual machine before attempting to execute. Our AI flagged the minimums package and our security researchers confirmed it as malicious. The package contains a payload in the setup.py file that attempts to download a Trojan virus from a rogue server, install it, and log the installation result using a Discord webhook.
Our security research team uncovered a noticeable volume of cryptocurrency miners within the npm registry. In one of our finds, the malicious package speedtestgod contained a package.go file detected as a Trojan that targets Linux systems and attempts to mine cryptocurrency using unsuspecting victims’ resources. We found other packages using the same Trojan file and uncovered that 16 of these malicious cryptominers originated from a single account. The supposed threat actor was reported and removed from the npm registry.
Some of the malicious packages detected by our AI targeted developers using Mac computers. With cobo-python-api, threat actors used dependency confusion to trick developers into downloading a tainted version of the crypto library ‘Cobo Custody Restful’. By uploading a compromised version with the same name on PyPI, attackers expect that the package manager (pip) used by developers will prioritize the malicious version over the legit GitHub version.
Our system flagged (and helped take down) six malicious packages attacking Python developers by combining the capabilities of a remote access trojan (RAT) and information stealers. With names such as easytimestamp, pyrologin, discorder, discord-dev, style.py, and pythonstyles, the malicious packages launch a PowerShell script that fetches a ZIP file and installs the libraries pynput, pydirectinput, and pyscreenshot that allows the attacker to control the target’s mouse and keyboard, and take screenshots.
PyTorch disclosed the compromise saying the attack exclusively affected users of the PyTorch-nightly build and not users of PyTorch stable packages. From December 25-30 2022, the nightly build downloaded a library called torchtriton—a dependency that executes a malicious binary when imported. PyTorch removed the counterfeit library as a dependency for nightly packages and replaced it with a dummy package registered on PyPI to prevent similar attacks.
More in the series of malicious packages that establish a backdoor connection between the attacker and target using the reverse shell technique. After November 2022’s initial attack, our AI caught additional packages such as aidoc-consul, aidoc.genmfa, and aidoc-e23-utils that leveraged this attack vector.
In another follow up to an attack in November 2022, our AI caught a series of packages on PyPI that concealed an important statement in their setup.py files by using spaces to create the illusion that there’s no malicious code in sight.
We discovered packages such as tshawn-Irce and tshawn-wrce that were tainted with malicious reverse shell and bind shell scripts. Other packages our security researchers found, such as requests-dm, fastupdate, and discordxyz, looked for information on the target computer’s OS such as hostnames, IPs, credentials, and other configuration details with the purpose of exfiltrating such data to malicious servers.
Our security researchers found that this attack started by copying a legit package (object_pool in this case) and then injecting __import__ statement to run malicious code from an external source.
A phishing attack attempts to distribute a .NET-based malware, dubbed 'JuiceStealer,' that steals credential, browser, and cryptocurrency vault information and feeds the ill-gotten goods to a domain (linkedopports[.]com) purportedly controlled by JuiceLedger. This malware attempts delivery in a sequence of a phishing email purporting a validation process which in turn steals login credentials and subsequently drops malware into the packages of unsuspecting PyPI maintainers.
Sonatype's malware detection systems spotted 186 npm packages that were typosquats of popular libraries. All of these packages dropped cryptominers after infecting Linux systems. A security researcher, Hauke Lübbers, additionally discovered an identical attack on PyPI and shared with us a list of 55 offending Python packages.
Malicious 'secretslib' Python package drops second-stage payload in-memory to silently run XMRig and mine Monero.
We identified and analyzed multiple malicious Python packages that contain ransomware scripts and are typosquats of a legitimate, widely known library called 'Requests.'
Sonatype discovered malicious PyPI packages that set up new Remote Desktop user accounts on your Windows computer and steal encrypted Telegram data files from your Telegram Desktop client.
We identified a suspicious PyPI component called 'python-dateutils' that mines Monero (XMR) cryptocurrency on your system—whether Windows, Linux, or macOS, and steals AWS credentials.
Sonatype security researchers analyzed npm packages '@core-pas/cyb-core' and 'notreallyapackagetrustme' that attempt to exfiltrate Amazon EC2 credentials as well as sensitive files such as ⁄etc/passwd on Linux, and SAM/SYSTEM on Windows.
npm package 'flame-vali' claims to let developers "bypass any request proxys." But instead it contains heavily obfuscated payload that makes several attempts to disable Windows Defender before it drops a trojan.
Multiple PyPI packages and typosquats caught by us this month exfiltrate AWS keys, environment variables, and other secret credentials. Users of these packages should immediately rotate their credentials.
Immensely popular PyPI package 'ctx' compromised in a supply chain attack and altered to steal environment variables from its users. Additionally, PHP project 'phpass' suffered a repo-hijacking attack with the project tained with an identical malicious payload to steal AWS keys.
We caught a 'pymafka' typosquat that drops Cobalt Strike payload across all platforms and targets developers using PyKafka, a legitimate Apache Kafka client for Python.
A malicious typosquat 'rustdecimal' was uploaded to the Rust's crate[.]io registry. The typosquat, named after the legitimate 'rust_decimal' concealed malicious code using carefully crafted XOR obfuscation. Sonatype's research team has analyzed the malware and added the typosquat to our security catalog to keep our customers protected.
We have now repeatedly seen the developers using the popular 'colors' library being targeted. Typosquats like colors-2.0, colors-update, colorsss are all attempts to make you fall for a nefarious clone of 'colors' laden with info-stealing trojans.
The 'karapace' PyPI package caught and analyzed by Sonatype has the exact same name as the Python package on GitHub which is "An open-source implementation of Kafka REST and Schema Registry."
In one of the suspicious npm packages Sonatype caught, we saw the npm package did nothing other than download another empty npm package from an external server, which made it all seem quite mysterious. But turns out, this PoC test by a researcher is a mere distraction technique for obtaining your IP address and username in a sleek manner.
Sonatype's automated malware detection bots flagged a suspicious dependency that has the same name as a real package used by VMware VSphere SDK developers. PyPI took down the package following our report and VMWare confirmed no impact to users and its products in a statement.
From a 'fix-crash' npm package that steals your Discord info to 400 more malicious packages, caught in addition to those from March, that target Azure developers.
The name 'Distutil' might ring a bell as 'distutils' is a now-deprecated Python library that provided support for building and installing additional modules into a Python installation. 'Distutil' on the other hand contains obfuscated code and is, what looks like a typosquatting attempt.
Protestware—cases where maintainers behind popular open source projects sabotage their own software to make a point continue to ramp up. In days following the 'node-ipc' sabotage, maintainers behind npm libraries like 'event-source-polyfill', 'es5-ext' and 'styled-components' began adding peaceful anti-war messages to their packages.
We have identified 130 typosquatting packages on npm and a dozen malicious packages on the PyPI repository, at a time when the world is focused on the Russia-Ukraine crisis and governments are urging organizations to step up cyber security efforts in response to related malicious cyber incidents.
To a casual observer, colors-2.0, colors-3.0, and other few may appear to be "newer" versions of the 'colors' library when that's far from the case. These packages are malware and tactfully named in a manner that may confuse a novice developer into mistaking them for the latest versions of official 'colors.'
Don't be fooled by these Python packages that Sonatype has discovered this week on the PyPI registry. From a mysterious reverse shell to an AIOHTTP typosquat making a comeback for the third time!
The development follows last week's discovery of over 400 malicious npm packages targeting Azure, Uber, and Airbnb developers—all caught by our malware detection system, offered as a part of Nexus Firewall.
Sonatype's automated malware detection systems have once again caught malicious PyPI packages that steal your Roblox security cookies and Discord tokens and drop suspicious EXEs on your system.
Sonatype spots threat actors polluting open source repos with bogus packages containing spam links. After tracking a series of massive malware and spam campaigns, we explain why threat actors increasingly target game developers and abuse gaming platforms for their malware-hosting needs.
Sonatype has once again stumbled upon a malicious Python package—this time imitating a massively popular middleware library. But instead, this package drops a Remote Access Trojan (RAT) that compromises your system completely.
The popular jQuery project has a mysterious sidekick that has popped - 'jquery-lh'. While the npm package does install real jQuery code, behind the scenes it does something fishy and unexpected.
Thousands of open source projects including those produced by companies like Facebook (Meta) and Amazon broke after the developer behind "colors" and "faker" intentionally sabotaged his own packages in protest of "Fortune 500" companies exploiting open source.
On January 23rd, a user flooded the PyPI registry with 1,275 dependency confusion packages, as spotted by Sonatype's automated malware detection systems.
One of the largest Vietnamese crypto apps, ONUS, suffered a cyber-attack due to a vulnerable Log4j version. Threat actors first approached ONUS with a $5 million ransom demand but put up their 2 million customer records for sale online after the company refused to pay.
A critical zero-day in immensely popular logging framework, log4j, is disclosed along with a public PoC. Shortly, attackers began mass exploitation of the flaw to push malware on vulnerable servers. Soon enough, CISA issues advisory and a dedicated webpage to urge organizations to remediate Log4Shell attacks.
These packages dropped trojans on Windows machines and attempted to pry on Apache Mesos instances on Linux systems.
Malicious versions of "coa" broke React pipelines around the world until they were removed. These versions contained similar credential-stealing trojan as the one seen in hacked "ua-parser-js" versions.
Yet another popular npm package, "rc" with 14 million weekly downloads is hijacked to spread malware, merely hours after "coa" hack is spotted. The malware and attack style is identical, drawing a link between the threat actor behind both incidents. NPM pins the cause of both attacks to project maintainer's account compromise.
Between October 12–15, new npm cryptomining malware was found targeting Linux, macOS, Windows devices, and imitating the legitimate "ua-parser-js" package.
On October 22, a popular "ua-parser-js" library with over 7 million weekly downloads was itself hijacked. The same cryptominers were found.
Between October 20 and 26, Sonatype discovered typosquatting packages that mimic noblox.js, a popular Roblox game API wrapper. The Obfuscated malware found in npm includes extra unwanted functionalities including trojans, ransomware, and even a spooky surprise.
SushiSwap's MISO cryptocurrency platform suffered a $3 million theft resulting from a software supply-chain attack. Just one malicious code commit made to Sushi’s private GitHub repository was enough to alter the company’s auction portal, and replace the authentic wallet address with the attacker's.
A ransomware group discovered and exploited a zero-day vulnerability in a remote monitoring and management software platform used by dozens of managed security providers (MSP). Because these MSPs service thousands of downstream customers, the hackers were able to conduct a ransomware attack against 1,500 victims.
The weekend after launching, Winget's software registry was flooded with pull requests for apps that were either duplicates or malformed. Some newly added duplicate packages were corrupted and ended up overwriting the existing packages, raising serious concerns about the integrity of the Winget ecosystem.
An attacker was able to gain access to a credential via a mistake in how Codecov were building Docker images. This credential then let them modify Codecov’s bash uploader script which was either used directly by customers or via Codecov’s other uploaders like their Github Action. The attacker used this modified script to steal credentials from the CI environments of customers using it.
Three days after news broke of an ethical researcher hacking over 35 big tech firms in a novel supply-chain attack, more than 300 malicious copycat attacks were recorded. Within one month, more than 10,000 dependency confusion copycats had infiltrated npm and other ecosystems.
Threat actors gained access to SolarWinds dev infrastructure, and injected malicious code into Orion update binaries. 18,000 customers automatically pulled trojanized updates, planting backdoors into their systems and allowing bad actors to exploit private networks at will.
Discovery of the malware, called xpc.js in the npm registry confirmed to be a part of the newly identified family of Discord malware named CursedGrabber. This malware targets Window hosts and steals Discord information, sending user information via webhook to the attacker.
The series of components were identified as a successor to “fallguys” malware: discord.dll, discord.app, wsbd.js, and ac-addon. These components exfiltrate Discord and web browser’s “leveldb” files, as well as collect data such as IP address, “PC username,” “discordcanary” files, etc.
The malicious typosquatted packages jdb.js and db-json.js are found laced with a popular Remote Access Trojan (RAT), njRAT aka Bladabindi. Upon install, the malicious script engaged in data gathering and reconnaissance, ultimately launching patch.exe which is an njRAT written in .NET. This allows a remote attacker to log keystrokes, modify registry values, initiate system shutdown or restart at will, among other nefarious activities.
The counterfeit package twilio-npm opens a backdoor on a user’s device, giving attackers control of the compromised machine and Remote Code Execution (RCE) capabilities.
The electorn, loadyaml, lodashs, and loadyml packages have all been identified as vulnerable. Once installed, the packages collect and expose sensitive information, including IP address, geolocation, and device fingerprint, publishing this data to a public GitHub page.
26 open source packages were found to be compromised through malicious code injection. The malware was designed to enumerate and backdoor NetBeans projects through the NetBeans IDE.
400 gems were removed from the public repository for typosquatting and crypto mining malware. They include atlas-client (downloaded 2,100 times by developers).
The malicious npm package — 1337qq-js — exfiltrates sensitive information such as hard-coded passwords or API access tokens through install scripts and targets UNIX systems only.
Two Python libraries, python3-dateutil and jeIlyfish, were caught stealing SSH and GPG keys from the projects or infected developers.
All versions of sj-tw-test-security are found to contain malicious code. The package downloads and runs a script that opens a reverse shell in the system, allowing a remote attacker to compromise the affected system.
Taking advantage of a typosquatting exploit for lodash npm packages, all versions of the lodahs package contain malware designed to find and exfiltrate cryptocurrency wallets. Packages web3b and web3-eht were removed for the same exploit pattern.
Three versions of the Gems package basic_authable, released in 2017, were yanked from the Gems repository due to their malicious nature.
A compromised version of rest-client, a popular HTTP and REST client for Ruby, was uploaded to RubyGems. Affected versions (1.6.10 to 1.6.13) were downloaded about 1,000 times. Similar vulnerabilities were found in Gem packages coming-soon and cron_parser.
The component bb-builder stole login information from the computers it was installed on, sending it to a remote server.
A security firm found three malicious Python libraries — libpeshnx, libpesh, and libari — uploaded on the official Python Package Index (PyPI) that contained a hidden backdoor which would activate when the libraries were installed on Linux systems.
This attack involves remote code execution in applications using or bundling the strong_password component. The hacker in this attack compromised the component and its dependencies — and locked out the gem maintainer
An npm package contained code designed to steal cryptocurrency wallet seeds and other login instruction details specific to cryptocurrency apps. Tipped off by npm researchers, makers of the Agama cryptocurrency wallets shifted $13 million worth of currency before adversaries could steal it.
Packages were pulled from the public repository because they contained code for cryptomining or cookie/password stealing.
A malicious version of the popular bootstrap-sass package, downloaded a total of 28 million times to date, and with 1.6K dependencies, is published to the RubyGems repository.
The injected code in the event-stream package targets the Copay application and was designed to harvest account details and private keys from accounts having a balance of more than 100 Bitcoin or 1,000 Bitcoin Cash.
A GitHub API token leaked from Homebrew’s Jenkins provided a security researcher with access to core Homebrew software repos.
“If I were a malicious actor, I could have made a small, likely unnoticed change to the openssl formulae, placing a backdoor on any machine that installed it,” researcher Eric Holmes explained.
Unknown individuals gain control of the Github Gentoo organization and modiﬁed the content of repositories as well as pages within — all code considered compromised.
npm security team responds to reports the getcookies package, which contained malicious code that allowed remote users to execute arbitrary code on servers. The investigation also revealed that an existing package called mailparser began listing http-fetch-cookies as a dependency. Despite being deprecated, mailparser still receives about 64,000 weekly downloads.
Python module ssh-decorator backdoored to collect users' SSH credentials and sent the data to a remote server.
After a developer deleted their go-bindata GitHub account, someone immediately grabbed the ID — inheriting the karma instilled in that ID and calling into question packages and sources.
A malicious version of a package from a core contributor to the conventional-changelog ecosystem is published. The package was installed 28,000 times in 35 hours and executed a Monero crypto miner.
David Gilbertson writes a ﬁctional tale on his blog about creating a malicious npm package.
10 malicious Python packages found with misspelled names intentionally chosen to trick users. Evidence of the fake packages being incorporated into software was noted multiple times between June and Sept 2017.
39 packages harvested undetected over two weeks, collecting credentials used to publish to the npm repository itself.
Affects access to 14% of the npm repo (79K packages). As a result, npm reset the passwords and auth tokens of over 1,000 developers.
Username docker123321 uploads backdoored container images used to install reverse shells and cryptocurrency miners on users' servers. Images not removed until June 2018. The same username is later accused of poisoning a Kubernetes honeypot (Jan. 2018) and equated to a crypto-mining botnet (May 2018).
Sonatype’s report blends a broad set of data to reveal important findings about open source and its increasingly important role in digital innovation.
See how artificial intelligence and machine learning that never stops learning, plus 65 world class professionals with 500+ years of experience lead to the best data in the industry.
Are you at risk of a software supply chain hack? Try Nexus Vulnerability Scanner for FREE to find out if your software has any open source security vulnerabilities.
Sonatype Headquarters - 8161 Maple Lawn Blvd #250, Fulton, MD 20759
Tysons Office - 8281 Greensboro Drive – Suite 630, McLean, VA 22102
Australia Office - 60 Martin Place Level 1, Sydney, NSW 2000, Australia
London Office -168 Shoreditch High Street, E1 6HU London
Subscribe for all the latest software security news and events
Copyright © 2008-present, Sonatype Inc. All rights reserved. Includes the third-party code listed here. Sonatype and Sonatype Nexus are trademarks of Sonatype, Inc. Apache Maven and Maven are trademarks of the Apache Software Foundation. M2Eclipse is a trademark of the Eclipse Foundation. All other trademarks are the property of their respective owners.