Security News > 2022 > November > Researchers Uncover PyPI Package Hiding Malicious Code Behind Image File

A malicious package discovered on the Python Package Index has been found employing a steganographic trick to conceal malicious code within image files.

The package in question, named "Apicolor," was uploaded to the Python third-party repository on October 31, 2022, and described as a "Core lib for REST API," according to Israeli cybersecurity firm Check Point.

Apicolor, like other rogue packages detected recently, harbors its malicious behavior in the setup script used to specify metadata associated with the package, such as its dependencies.

This takes the form of a second package called "Judyb" as well as a seemingly harmless PNG file hosted on Imgur, an image-sharing service.

The attack chain entails using the judyb package to extract obfuscated Python code embedded within the downloaded image, which, upon decoding, is designed to retrieve and execute a malicious binary from a remote server.

Even more troublingly, such malicious libraries can be incorporated into other open source projects and published on GitHub, effectively broadening the scope and scale of the attacks.

News URL

https://thehackernews.com/2022/11/researchers-uncover-pypi-package-hiding.html