Researchers discovered up to 11 malicious Python packages that have been downloaded over 41,000 times from the Python Package Index (PyPI) repository and may be used to obtain Discord access tokens, passwords or even conduct dependency misunderstanding attacks.
According to JFrog researchers Andrey Polkovnychenko and Shachar Menashe, the malicious code “causes an HTTPS request to be sent to pypi.python[.]org (which is indistinguishable from a legitimate request to PyPI), which is later rerouted by the CDN as an HTTP request to the [command-and-control] server.”
The dependency “importantpackage” is especially notable for its new network-based detection method, which involves masking connections with the attacker-controlled server as communications with pypi[.]org using Fastly’s content delivery network (CDN).
After JFrog, a DevOps organisation, made a responsible disclosure, the Python packages were deleted from the repository —
- importantpackage / important-package
- 10Cent10 / 10Cent11
JFrog’s senior director of research, Menashe reported that “Package managers are a growing and strong channel for the unintended installation of malicious programmes, and […] attackers’ approaches are becoming more sophisticated.
The advanced evasion methods used in these malware packages, such as innovative exfiltration or even DNS tunnelling, show a troubling trend of attackers growing stealthier in their attacks on open-source software.
once the malicious people used at least three NPM developer accounts to inject malicious code into popular packages “ua-parser-js,” “coa,” and “rc,” GitHub announced plans earlier this week to strengthen the NPM registry’s security by requiring two-factor authentication (2FA) for maintainers and admins beginning in the first quarter of 2022.
The news comes as the software development and version control platform said that it has patched various issues in the NPM registry that may have exposed private package names and allowed attackers to bypass authentication and publish versions of any package without permission.
Finally JFrog researchers concluded that “ipboards” and a fifth programme called “pptest” were revealed to use DNS tunnelling as a data exfiltration method, relying on DNS requests as a communication channel between the victim machine and the remote server. It’s the first time the approach has been discovered in malware published to PyPI.