Security News > 2021 > November > 11 Malicious PyPI Python Libraries Caught Stealing Discord Tokens and Installing Shells

Cybersecurity researchers have uncovered as many as 11 malicious Python packages that have been cumulatively downloaded more than 41,000 times from the Python Package Index repository, and could be exploited to steal Discord access tokens, passwords, and even stage dependency confusion attacks.

The Python packages have since been removed from the repository following responsible disclosure by DevOps firm JFrog -.

Unlike typosquatting attacks, where a malicious actor deliberately publishes packages with misspelled names of popular variants, dependency confusion works by uploading poisoned components with names that are the same as the legitimate ones to public repositories, but with a higher version, effectively forcing the target's package manager to download and install the malicious module.

"Package managers are a growing and powerful vector for the unintentional installation of malicious code, and [] attackers are getting more sophisticated in their approach," said Menashe, JFrog's senior director of research.

"The advanced evasion techniques used in these malware packages, such as novel exfiltration or even DNS tunneling signal a disturbing trend that attackers are becoming stealthier in their attacks on open-source software."

After at least three NPM developer accounts were compromised by bad actors to insert malicious code into popular packages "Ua-parser-js," "Coa," and "Rc," GitHub earlier this week outlined plans to tighten the security of the NPM registry by requiring two-factor authentication for maintainers and admins starting in the first quarter of 2022.

News URL

https://thehackernews.com/2021/11/11-malicious-pypi-python-libraries.html