Security News > 2021 > November > Malicious Python packages employ advanced detection evasion techniques

JFrog researchers have discovered 11 malicious Python packages on PyPI, the official third-party package repository for Python, which have been collectively downloaded over 41,000 times.

This is not the first time that malicious packages have been successfully introduced into online package repositories and will surely not be the last.

What's worrying the researchers is that attackers are using increasingly advanced techniques to avoid detection.

The malicious packages - importantpackage, important-package, pptest, ipboards, owlmoon, DiscordSafety, trrfab, 10Cent10, 10Cent11, yandex-yt, and yiffparty - steal Discord tokens, establish a reverse shell over HTTP giving the attacker full control over an infected machine, or collect user information and send it via DNS tunneling to a server run by the attackers.

Another technique that some of these malicious Python packages use to evade network-based detection is to use the Fastly content delivery network to disguise communications with the C2 server as a communication with pypi.org.

"While this set of malicious packages may not have the same 'teeth' as our previous discoveries, what's notable is the increasing level of sophistication with which they are executed. It's not reaching for your wallet in broad daylight - but there is a lot more subterfuge going on with these packages, and some of them may even be setting up for a follow-up attack after the initial reconnaissance, instead of running a highly-compromising payload to start," the researchers concluded.

News URL

https://www.helpnetsecurity.com/2021/11/22/malicious-python-packages-detection/