Recent reports have highlighted the malicious spreading of malware via 3 specific Python Package Index (PyPI) packages. These 3 packages were identified and reported by Sonatype, a software supply chain security firm.
PyPI is a large repository that contains various open source packages for Python. By using PyPI, developers from all around the world are able to collaborate, share, and develop a variety of programs for Python.
Unfortunately, there are bad actors who are using the PyPI repository as a way to gain access into a variety of systems. These 3 malicious packages were all taken down has soon as the malicious activity was noticed, and the victims were alerted.
The packages, aptly named "Colorama", "Jellyfish" and "Figgy" contained malicious scripts which installed a Windows program, "NetSupport Manager". NetSupport Manager is a remote control system that gives a malicious actor control over the victims machine.
The malicious packages also contained scripts to post data to a variety of domains. Once again, the domains were all taken down after being identified.
Security experts have expressed their opinion on the matter; stressing the need for more security awareness for those who are using PyPI. As the repository is open source, those who upload malicious packages are not easily identified. Therefore, the community needs to stay vigilant in order to ensure the safety of their portable packages.
Organizations are advised to prioritize security, by keeping up to date with their security protocols and being aware of any malicious actors who may try and access their systems through legitimate looking packages.
The 3 malicious packages were known to have spread between August 2019 and September 12th 2019, with at least 5 organizations affected. The malicious packages are no longer available on PyPI, but the current responses show that we should always remain aware of suspicious activity.
This Cyber News was published on securityaffairs.com. Publication date: Sun, 22 Jan 2023 10:48:00 +0000