CyberSecurityBoard
Sponsor Register Login

Malicious PyPI packages targeting highly specific MacOS machines

As part of our software package supply chain security efforts, we continuously scan for malware in newly released PyPI and NPM packages.
In this post, we describe a particularly interesting cluster of malicious packages that we've identified.
In late 2022, we released GuardDog, a CLI-based tool that uses Semgrep and package metadata heuristics to identify malicious software packages based on common patterns.
A few months later, we started instrumenting GuardDog at scale to continuously scan the Python Package Index.
We've identified and manually triaged close to 1,500 malicious packages that we regularly publish as part of an open source dataset, which is one of the largest labeled datasets of malicious packages made publicly available.
Empty information: The package had an empty description, which is unusual for legitimate packages.
Single python file: The package consisted of a single Python file, which is also slightly suspicious.
Command overwrite: The package was overwriting the install command, triggering code that gets automatically executed when someone pip installs it.
Code execution: The package was executing OS commands.
Although each of these rules individually only gave us a clue as to whether the package was malicious, these four pieces of information put together gave us a strong sense that we were looking at a malicious package.
After diving deeper into the packages, we confirmed that they contained malicious code.
The initial package that prompted our analysis was published to PyPI on May 9, 2024 and was named reallydonothing.
As we'll see in the Detailed analysis section, this piece of malware targets specific systems and infects the victim's machine only if a specific, secret file is identified on the local file system.
These packages don't attempt to mimic or implement legitimate functionality.
The malicious code then searches for a secret file whose path, when hashed, matches a predetermined hardcoded value.
The packages we've identified and analyzed look for different file patterns, use different hardcoded salt and binary values, and drop binaries in different locations.
It's likely that these packages are part of a broader campaign targeting a specific set of machines, based on either a specific configuration or markers left from a previous infection.
The malicious packages we've analyzed in this post have been identified by GuardDog, an open source project that you can run on your own dependencies or arbitrary PyPI and NPM packages.
We'll make sure to update this post if we identify new malicious packages that exhibit a similar behavior.
May 23, 2024Added a reference to a newly-published malicious packaged, published on May 23th after the initial publication of this post.


This Cyber News was published on securitylabs.datadoghq.com. Publication date: Mon, 27 May 2024 12:43:10 +0000


Cyber News related to Malicious PyPI packages targeting highly specific MacOS machines

Malicious PyPI packages targeting highly specific MacOS machines - As part of our software package supply chain security efforts, we continuously scan for malware in newly released PyPI and NPM packages. In this post, we describe a particularly interesting cluster of malicious packages that we've identified. In late ...
1 month ago Securitylabs.datadoghq.com
3 PYPI Packages Caught Spreading Malware - Recent reports have highlighted the malicious spreading of malware via 3 specific Python Package Index (PyPI) packages. These 3 packages were identified and reported by Sonatype, a software supply chain security firm. ...
1 year ago Securityaffairs.com
116 Malicious PyPI Packages Downloaded Over 10,000 Times - A cluster of malicious Python projects has been identified in PyPI, the official Python PyPI package repository, which targets both Windows and Linux systems and often deploys a custom backdoor. In certain instances, the ultimate payload consists of ...
6 months ago Cybersecuritynews.com
DPython's Poisoned Package: Another 'Blank Grabber' Malware in PyPI - Python Package Index is a platform that offers an extensive range of packages to simplify and enhance the development process. Malicious actors regularly upload phishing packages in the platform's repository aimed at delivering malware to steal the ...
5 months ago Imperva.com
New Typosquatting and Repojacking Tactics Uncovered on PyPI - Security researchers have identified a concerning uptick in malicious activities infiltrating open-source platforms and code repositories. This trend encompasses a wide array of malicious activities, including hosting command-and-control ...
4 months ago Infosecurity-magazine.com
Three New Malicious PyPI Packages Deploy CoinMiner on Linux Devices - Affected platforms: LinuxAffected parties: Linux users that have these malicious packages installedImpact: Latency in device performanceSeverity level: High. On December 5th, 2023, FortiGuard's AI-driven OSS malware detection system identified three ...
6 months ago Feeds.fortinet.com
New Supply Chain Attack Leveraging Python Package Index Targeting Wacatac Trojan - A new supply chain attack has recently been detected targeting Python Package Index (PyPI) users with the Wacatac Trojan. This attack is seen as the latest in a series of advanced persistent threats (APT) targeting the escalating use of Python in ...
1 year ago Securityweek.com
Cybercriminals pose as "helpful" Stack Overflow users to push malware - Cybercriminals are abusing Stack Overflow in an interesting approach to spreading malware-answering users' questions by promoting a malicious PyPi package that installs Windows information-stealing malware. Sonatype researcher Ax Sharma discovered ...
1 month ago Bleepingcomputer.com
Malicious NPM, PyPI Packages Stealing User Information - Check Point and Phylum are warning of recently identified NPM and PyPI packages designed to steal user information and download additional payloads. Taking advantage of the broad use of open source code in application development, malicious actors ...
1 year ago Securityweek.com
PyPi package backdoors Macs using the Sliver pen-testing suite - A new package mimicked the popular 'requests' library on the Python Package Index to target macOS devices with the Sliver C2 adversary framework, used for gaining initial access to corporate networks. Discovered by Phylum, the campaign involves ...
1 month ago Bleepingcomputer.com
Developers, watch your code: Official Python respository spread malicious projects - PyPI helps users locate and install software developed and released by the Python community as well as serving as a repository where developers can distribute their software. Recently, cybersecurity specialist ESET discovered a series of malicious ...
6 months ago Zdnet.com
Misconfiguration and vulnerabilities biggest risks in cloud security: Report - The two biggest cloud security risks continue to be misconfigurations and vulnerabilities, which are being introduced in greater numbers through software supply chains, according to a report by Sysdig. While zero trust is a top priority, data showed ...
1 year ago Csoonline.com
Volt Typhoon Ramps Up Malicious Activity Against Critical Infrastructure - China-backed cyber espionage group Volt Typhoon is systematically targeting legacy Cisco devices in a sophisticated and stealthy campaign to grow its attack infrastructure. In many instances, the threat actor, known for targeting critical ...
5 months ago Darkreading.com
'everything' blocks devs from removing their own npm packages - Since these 3,000+ packages manage to include every single npm package on the npmjs.com registry as their dependency, npm package authors who have ever published to the npm registry would now be unable to remove their packages at will, because of ...
6 months ago Bleepingcomputer.com
Japan Blames North Korea for PyPI Supply Chain Cyberattack - Japanese cybersecurity officials warned that North Korea's infamous Lazarus Group hacking team recently waged a supply chain attack targeting the PyPI software repository for Python apps. Developers who get tricked into downloading the nefarious ...
3 months ago Darkreading.com
Attackers Finding Novel Ways to Abuse GitHub: ReversingLabs - Threat actors are finding new ways to take advantage of GitHub in hopes of tricking developers into putting malicious code into their software and sending to users downstream, according to researchers with ReversingLabs. Code repositories like GitHub ...
6 months ago Securityboulevard.com
Pirated Software Puts Mac Users at Risk as Proxy Malware Emerges - Malware is being targeted at Mac users who receive pirated versions of popular apps from warez websites after they choose to download them from those websites. Various reports state that cybercriminals are infecting macOS devices with proxy trojans ...
7 months ago Cysecurity.news
Android malware and unwanted software statistics for Q1 2024 - Over 389,000 malicious installation packages were detected, of which: 11,729 packages were related to mobile banking Trojans, 1,990 packages were mobile ransomware Trojans. The rapid growth in the total number of attacks between Q2 and Q4 2023 is ...
1 month ago Securelist.com
Sophisticated macOS Infostealers Get Past Apple's Built-In Detection - Increasingly sophisticated infostealers are targeting macOS with the capability to evade Apple's built-in malware protection, as attackers are becoming more savvy about how to crack static signature-detection engines like the platform's proprietary ...
5 months ago Darkreading.com
Beware, Developers: BlazeStealer Malware Discovered in Python Packages on PyPI - A new set of malicious Python packages has slithered their way to the Python Package Index repository with the ultimate aim of stealing sensitive information from compromised developer systems. The packages masquerade as seemingly innocuous ...
7 months ago Thehackernews.com
Stealthy New macOS Backdoor Hides on Chinese Websites - A sneaky macOS backdoor that allows attackers to remotely control infected machines has been hiding in trojanized applications for the platform that are hosted on Chinese websites. Researchers from Jamf Threat Labs discovered the series of poisoned ...
5 months ago Darkreading.com
CVE-2022-48769 - In the Linux kernel, the following vulnerability has been resolved: efi: runtime: avoid EFIv2 runtime services on Apple x86 machines Aditya reports [0] that his recent MacbookPro crashes in the firmware when using the variable services at runtime. ...
2 weeks ago Tenable.com
The Ultimate Guide To Securing Virtual Machines - Virtual machines have become an essential component of many sectors in the digital era, providing flexibility, scalability, and cost-efficiency. The security of these virtualized environments, on the other hand, is critical. This article will guide ...
5 months ago Feeds.dzone.com
Unsung GitHub Features Anchor Novel Hacker C2 Infrastructure - Researchers have come across a GitHub account abusing two unique features of the site to host stage-two malware. Hackers have increasingly been repurposing public services as headquarters for their misdeeds - housing malware in public code ...
6 months ago Darkreading.com
APT trends report Q1 2024 - Careto is a highly sophisticated threat actor that has been seen targeting various high-profile organizations since at least 2007. The last operations conducted by this threat actor were observed in 2013. Our private report provided a detailed ...
1 month ago Securelist.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)