Malicious PyPI Packages Using Cloudflare Tunnels to Sneak Through Firewalls

2023-01-09 08:47

In yet another campaign targeting the Python Package Index repository, six malicious packages have been found deploying information stealers on developer systems.

The malicious code, as is increasingly the case, is concealed in the setup script of these libraries, meaning running a "Pip install" command is enough to activate the malware deployment process.

The malware is designed to launch a PowerShell script that retrieves a ZIP archive file, install invasive dependencies such as pynput, pydirectinput, and pyscreenshot, and run a Visual Basic Script extracted from the archive to execute more PowerShell code.

The rogue packages are also capable of harvesting cookies, saved passwords, and cryptocurrency wallet data from Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, Opera GX, and Vivaldi browsers.

In what's a novel technique adopted by the threat actor, the attack further attempts to download and install cloudflared, a command-line tool for Cloudflare Tunnel, which offers a "Secure way to connect your resources to Cloudflare without a publicly routable IP address."

The malware enables the threat actor to run shell commands, download remote files and execute them on the host, exfiltrate files and entire directories, and even run arbitrary python code.

News URL

https://thehackernews.com/2023/01/malicious-pypi-packages-using.html

#cloudflare #firewall

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Cloudflare		18	1	13	27	3	44
Pypi		15	0	0	1	15	16