The Python Package Index: Info Stealing Malware in Open-Source Software

In the sprawling ecosystem of open-source software, the Python Package Index (PyPI) stands as a cornerstone, fostering innovation and collaboration among developers. However, this repository, designed to be a wellspring of productivity, has become a battleground against an insidious form of cyber threat: info stealing malware packages. The recent findings by FortiGuard Labs unveil a threat within the PyPI library, orchestrated by a malware author known only as “WS”.

The clandestine operation led by “WS” has seen the discreet upload of malicious packages such as nigpal, figflix, telerer, and several others to PyPI. These packages, masked under the guise of utility, harbor a sinister purpose: to execute attack methodologies eerily reminiscent of those described in earlier cybersecurity exposes. The incorporation of base64-encoded source code is designed to unleash a malicious payload upon unsuspecting victims, spanning a variety of operating systems.

Extracted files | Image: FortiGuard Labs

These payloads, once a mere theory, have manifested into a stark reality. For Windows users, the threat materializes as Whitesnake PE malware, whereas Linux devices face a Python script poised to pilfer information. The innovation doesn’t stop at the method of attack; the transmission of stolen data has evolved from a fixed URL to a spectrum of IP addresses, complicating efforts to trace and neutralize the threat.

Among the payloads unearthed, the sGMM package stands out for its Python-compiled executable, a departure from the .NET-based Whitesnake PE payloads. This payload, sophisticated in its simplicity, targets the clipboard, scanning for and replacing cryptocurrency addresses, thereby diverting funds to the attacker’s wallet. Meanwhile, the myGens & NewGends packages launch an invisible assault, employing powershell.exe to insinuate themselves into the Windows Defender’s exclusion list, ensuring their malicious activities go undetected.

The implications of these findings extend far beyond the immediate victims. With over 2,000 devices estimated to be compromised by “WS” alone, the ripple effect of such info stealing malware is vast. It underscores the precarious balance between the open-source model’s ethos of accessibility and the imperative of security. Users, from individual developers to large enterprises, are urged to vet packages for potential malevolence before integration.