Security News > 2023 > June > Malicious PyPI Packages Using Compiled Python Code to Bypass Detection

Malicious PyPI Packages Using Compiled Python Code to Bypass Detection
2023-06-01 12:16

Researchers have discovered a novel attack on the Python Package Index repository that employs compiled Python code to sidestep detection by application security tools.

PYC files are compiled bytecode files that are generated by the Python interpreter when a Python program is executed.

"When a module is imported for the first time a.pyc file containing the compiled code should be created in a pycache subdirectory of the directory containing the.py file," explains the Python documentation.

"The entry point of the package was found in the init.py file, which imports a function from the other plaintext file, main.py, which contains Python source code responsible for loading of the Python compiled module located in one of the other files, full.pyc," Zanki pointed out.

ReversingLabs said it also observed the module download and run another Python script that's responsible for fetching new commands placed within a file that can be tweaked at will by the threat actor to issue different instructions.

"Loader scripts such as those discovered in the fshec2 package contain a minimal amount of Python code and perform a simple action: loading of a compiled Python module," Zanki said.


News URL

https://thehackernews.com/2023/06/malicious-pypi-packages-using-compiled.html

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Python 24 2 52 74 31 159
Pypi 15 0 0 1 15 16