10 information-stealing packages found in the Python programming language repository, PyPI

Fake ascii2text description vs original package description

Researchers at Spectralops.io, a Check Point company, have discovered ten malicious packages in PyPI, a software repository for the Python programming language. Attackers execute malicious code on target devices, deceiving users with misleading names and descriptions of familiar packages. Installing malicious packages allows attackers to steal programmers’ private data and personal credentials. PyPI has more than 609,020 active users, working on 388,565 projects, with 3,630,725 versions.

Researchers at Spectralops.io, a Check Point Software company, have discovered ten malicious packages in PyPI, a software repository for the Python programming language. The security threat allows cybercriminals to execute code on targeted devices, allowing attackers to steal programmers’ private data and personal credentials. Threat attackers can use misleading names and descriptions of familiar packages to trick users into installing them.

PyPI helps developers find and install software developed and shared by other developers in this community. According to its website, PyPI has more than 609,020 active users, working on 388,565 projects, with 3,630,725 versions.

attack methodology

To carry out their attacks, cybercriminals will trick users into installing a malicious package using misleading names and descriptions. As part of the installation script, malicious packages do a malicious job, such as stealing users’ credentials. The malicious code ends up sending the credentials you steal elsewhere. In the end, users don’t realize that all this just happened.

malicious packages

Check Point Research (CPR) provides details about the packets it has detected.

• Ascii2text. The code was responsible for downloading and executing a malicious script that searches for local passwords and loads them using a discord web hook.
• Pyg-utils, Pymocks, and PyProto2. As part of the setup.py installation, Pyg-utils is associated with a malicious domain (pygrata.com) which may be the infrastructure of a phishing attack. Interestingly, Pymocks and PyProto2 have nearly identical code targeting a different domain – pymocks.com.
• asynchronous test. It’s described in its description as “a very cool and very useful test package that everyone 100% needs”. In its setup.py installer, it downloads and executes most likely malicious code from the web. Interestingly, before this snippet is downloaded, it notifies the Discord channel of a “new playback” start.
• Free-net-vpn and Free-net-vpn2 They are malicious packages that target environment variables. These secrets are then propagated to a specific site by the dynamic DNS mapping service.
• zips, Probably to try to confuse PyPI users with the popular Python package included with zlib.
• Browsersteals the installer’s credentials and sends them to a web link on Discord as part of the installation process.
• WINRPCexpoitIt describes itself as a “Windows RPC exploit package” when in fact it only steals the credentials of the installer.