Security News > 2024 > August > Hackers Distributing Malicious Python Packages via Popular Developer Q&A Platform

In yet another sign that threat actors are always looking out for new ways to trick users into downloading malware, it has come to light that the question-and-answer platform known as Stack Exchange has been abused to direct unsuspecting developers to bogus Python packages capable of draining their cryptocurrency wallets.

The packages have been collectively downloaded 2,082 times.

The attack chain spans multiple stages, with the "Raydium" package listing "Spl-types" as a dependency in an attempt to conceal the malicious behavior and give users the impression that it was legitimate.

A notable aspect of the campaign is the use of Stack Exchange as a vector to drive adoption by posting ostensibly helpful answers referencing the package in question to developer questions related to performing swap transactions in Raydium using Python.

It's currently not clear when the packages were removed from PyPI, as two other users have responded to the Medium post seeking help from the author about installing "Raydium-sdk" as recently as six days ago.

The development comes as Fortinet FortiGuard Labs detailed a malicious PyPI package called zlibxjson that packed features to steal sensitive information, such as Discord tokens, cookies saved in Google Chrome, Mozilla Firefox, Brave, and Opera, and stored passwords from the browsers.

News URL

https://thehackernews.com/2024/08/hackers-distributing-malicious-python.html