Malicious PyPI Packages Using Compiled Python Code to Bypass Detection

2023-06-01 12:16

Researchers have discovered a novel attack on the Python Package Index repository that employs compiled Python code to sidestep detection by application security tools.

PYC files are compiled bytecode files that are generated by the Python interpreter when a Python program is executed.

"When a module is imported for the first time a.pyc file containing the compiled code should be created in a pycache subdirectory of the directory containing the.py file," explains the Python documentation.

"The entry point of the package was found in the init.py file, which imports a function from the other plaintext file, main.py, which contains Python source code responsible for loading of the Python compiled module located in one of the other files, full.pyc," Zanki pointed out.

ReversingLabs said it also observed the module download and run another Python script that's responsible for fetching new commands placed within a file that can be tweaked at will by the threat actor to issue different instructions.

"Loader scripts such as those discovered in the fshec2 package contain a minimal amount of Python code and perform a simple action: loading of a compiled Python module," Zanki said.

News URL

https://thehackernews.com/2023/06/malicious-pypi-packages-using-compiled.html

#bypass #python

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Python		27	10	87	73	27	197
Pypi		14	0	0	14	0	14