Researchers Uncover Obfuscated Malicious Code in PyPI Python Packages

2023-02-10 16:44

Four different rogue packages in the Python Package Index have been found to carry out a number of malicious actions, including dropping malware, deleting the netstat utility, and manipulating the SSH authorized keys file.

"Most of these packages had well thought out names, to purposely confuse people," Security researcher and journalist Ax Sharma said.

An analysis of the malicious code injected in the setup script reveals the presence of an obfuscated Meterpreter payload that's disguised as "Pip," a legitimate package installer for Python, and can be leveraged to gain shell access to the infected host.

In a sign that malware sneaking into the software repositories are a recurring threat, Fortinet FortiGuard Labs uncovered five different packages - web3-essential, 3m-promo-gen-api, ai-solver-gen, hypixel-coins, httpxrequesterv2, and httpxrequester - that are engineered to harvest and exfiltrate sensitive information.

The disclosures come as ReversingLabs sheds light on a malicious npm module named aabquerys that's designed to masquerade as the legitimate abquery package to trick developers into downloading it.

The author of aabquerys is said to have published multiple versions of two other packages named aabquery and nvm jquery that are suspected to be early iterations of aabquerys.

News URL

https://thehackernews.com/2023/02/researchers-uncover-obfuscated.html

#python #researcher

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Python		27	10	87	75	27	199
Pypi		14	0	0	14	0	14