Dozens of PyPI Packages Distribute W4SP Malware

by Emma Davis
November 4, 2022
PyPI packages and W4SP malware
Written by Emma Davis

Phylum, a supply chain security company, discovered 29 malicious packages in the PyPI repository (the list can be found below) that infected their victims with the W4SP data-stealing malware.

Let me remind you that we also said that 10 Malicious PyPI Packages Steal Credentials, and also that Popular PyPI ctx Package Stole Developer’s Data.

According to the researchers, the malicious packages imitated real-life popular libraries (also borrowing their code), that is, they used typesquatting to attract victims. According to Pepy.tech statistics, these packages have been downloaded more than 5700 times in total.

PyPI packages and W4SP malware
One of the fake packages

This attack starts by copying existing popular libraries and simply injecting a malicious __import__ statement into a ready-made codebase. The advantage that an attacker got from copying existing legitimate packages was that the landing page for the PyPI package is generated from setup.py and README.md. That is, the attacker immediately received a natural-looking landing page with working links, and so on. If not carefully checked, a quick glance could lead to the conclusion that this is a legitimate package.experts say.

In their report, the analysts explain in detail what problems they had to face when studying the obfuscated code (over 71,000 characters), which turned out to be “rather dirty”, and through which they had to literally wade through.

PyPI packages and W4SP malware
Obfuscated typosquats code

Ultimately, the researchers concluded that the malware distributed by these packages is the W4SP infostealer, which steals Discord tokens, cookies, and saves passwords from its victims.

Hauke Lübbers

Hauke Lübbers

The publication Bleeping Computer reports that this week independent information security specialist Hauke Lübbers also discovered the malware in PyPI. He managed to find the typesquatter pystile and threading packages containing the GyruzPIP malware.

According to the expert, this malware is based on the evil-pip open-source project, which is published online “for educational purposes only.” He also found two repositories on GitHub (1, 2), presumably owned by the authors of this malware, which he reported to the platform security team.

Lubbers has already reported the malicious packages to the PyPI administrators, although he thinks it is likely that the packages need to be used as dependencies in order for them to exhibit malicious behavior.

List of malicious packages found by Phylum researchers:

  1. algorithmic
  2. colorsama
  3. colorwin
  4. curlapi
  5. cypress
  6. duonet
  7. faq
  8. fatnoob
  9. felpesviadinho
  10. iao
  11. incrivelsim
  12. installpy
  13. oiu
  14. pydprotect
  15. pyhints
  16. pyptext
  17. pyslyte
  18. pystyle
  19. pystyte
  20. pyurllib
  21. requests-httpx
  22. shaasigma
  23. strinfer
  24. stringe
  25. sutiltype
  26. twyne
  27. type-color
  28. typestring
  29. typesutil
Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

View all posts

Leave a Reply

Sending