Security News > 2023 > August > North Korean Hackers Deploy New Malicious Python Packages in PyPI Repository

Three additional rogue Python packages have been discovered in the Package Index repository as part of an ongoing malicious software supply chain campaign called VMConnect, with signs pointing to the involvement of North Korean state-sponsored threat actors.

First disclosed at the start of the month by the company and Sonatype, VMConnect refers to a collection of Python packages that mimic popular open-source Python tools to download an unknown second-stage malware.

The latest tranche is no different, with ReversingLabs noting that the bad actors are disguising their packages and making them appear trustworthy by using typosquatting techniques to impersonate prettytable and requests and confuse developers.

One of the main changes introduced in tablediter is the fact that it no longer triggers the malicious code immediately upon installation of the package so as to evade detection by security software.

What's more, ReversingLabs said it found a Python package named py QRcode which contains malicious functionality that is very similar to that found in the VMConnect package.

"This is just another in a line of malicious attacks targeting users of the PyPI repository," Zanki said, adding "Threat actors continue to use the Python Package Index repository as a distribution point for their malware."

News URL

https://thehackernews.com/2023/08/north-korean-hackers-deploy-new.html