Security News > 2024 > March > Over 170K users caught up in poisoned Python package ruse

More than 170,000 users have been affected by an attack using fake Python infrastructure with "Successful exploitation of multiple victims."

The attacker hinged on various supply chain attack techniques to distribute malware-infected Python PyPI packages.

There were multiple prongs to the remarkably complicated attack - clones of popular Python packages such as Colorama, a doppelganger or typosquatted domain for Python packages.

The malicious Python packages were uploaded in November 2022, but the attack didn't start in earnest until last February when the doppelganger domain was registered.

Via their GitHub account, the attacker made a commit to Top.gg that ostensibly changed one thing, but also inserted the fake Colorama package in between several real URLs, making it stand out less.

In repos maintained by other compromised accounts, the attacker made commits where several packages hosted on the real website were added along with the fake Colorama package.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/03/25/python_package_malware/