New Typosquatting and Repojacking Tactics Uncovered on PyPI

Security researchers have identified a concerning uptick in malicious activities infiltrating open-source platforms and code repositories.
This trend encompasses a wide array of malicious activities, including hosting command-and-control infrastructure, storing stolen data and disseminating various forms of malware.
In a recent discovery, ReversingLabs reverse engineer Karlo Zanki uncovered two suspicious packages on the Python Package Index, named NP6HelperHttptest and NP6HelperHttper.
These packages were found to employ DLL sideloading, a technique malicious actors use to execute code discreetly and avoid detection by security monitoring tools.
Typosquatting and repojacking, also used in the deployment of these packages, are common tactics malicious actors employ to distribute look-alike packages, aiming to deceive developers into incorporating them into their applications.
The recent discovery of NP6HelperHttptest and NP6HelperHttper on PyPI exemplifies such tactics, exploiting similarities with legitimate NP6 packages - a marketing automation tool developed by Chapvision - to dupe unsuspecting users.
In this case, ReversingLabs discovered that the NP6 PyPI account wasn't officially associated with Chapvision; rather, it belonged to a Chapvision developer's personal account.
It remains uncertain whether the company was aware of the existence of the account, or of the NP6HelperHttp and NP6HelperConfig tools.
Upon notification of these packages by ReversingLabs, Chapvision confirmed that one of their employees had indeed published the helper tools.
Shortly thereafter, the packages were removed from PyPI. Further examination of the malicious packages revealed a sophisticated scheme involving executing malicious code hidden within setup.
These scripts facilitated the download and execution of both legitimate and malicious files, with the latter posing significant security risks.
ReversingLabs' research not only shed light on individual instances of malicious activity but also suggested a broader campaign involving multiple packages and sophisticated tactics, all relying on DLL sideloading.


This Cyber News was published on www.infosecurity-magazine.com. Publication date: Tue, 20 Feb 2024 17:45:27 +0000


Cyber News related to New Typosquatting and Repojacking Tactics Uncovered on PyPI

New Typosquatting and Repojacking Tactics Uncovered on PyPI - Security researchers have identified a concerning uptick in malicious activities infiltrating open-source platforms and code repositories. This trend encompasses a wide array of malicious activities, including hosting command-and-control ...
8 months ago Infosecurity-magazine.com
Typosquatting Wave Shows No Signs of Abating - One of the most enduring of these exploits is the practice of typosquatting - i.e., using look-alike websites and domain names to lend legitimacy to social engineering efforts. These look-alikes prey on users' inattention to verifying legitimate ...
7 months ago Darkreading.com
116 Malicious PyPI Packages Downloaded Over 10,000 Times - A cluster of malicious Python projects has been identified in PyPI, the official Python PyPI package repository, which targets both Windows and Linux systems and often deploys a custom backdoor. In certain instances, the ultimate payload consists of ...
10 months ago Cybersecuritynews.com
DPython's Poisoned Package: Another 'Blank Grabber' Malware in PyPI - Python Package Index is a platform that offers an extensive range of packages to simplify and enhance the development process. Malicious actors regularly upload phishing packages in the platform's repository aimed at delivering malware to steal the ...
9 months ago Imperva.com
Cybercriminals pose as "helpful" Stack Overflow users to push malware - Cybercriminals are abusing Stack Overflow in an interesting approach to spreading malware-answering users' questions by promoting a malicious PyPi package that installs Windows information-stealing malware. Sonatype researcher Ax Sharma discovered ...
5 months ago Bleepingcomputer.com
3 PYPI Packages Caught Spreading Malware - Recent reports have highlighted the malicious spreading of malware via 3 specific Python Package Index (PyPI) packages. These 3 packages were identified and reported by Sonatype, a software supply chain security firm. ...
1 year ago Securityaffairs.com
From Social Engineering to DMARC Abuse: TA427's Art of Information Gathering - Key takeaways  TA427 regularly engages in benign conversation starter campaigns to establish contact with targets for long-term exchanges of information on topics of strategic importance to the North Korean regime. In addition to using specially ...
6 months ago Proofpoint.com
PyPi package backdoors Macs using the Sliver pen-testing suite - A new package mimicked the popular 'requests' library on the Python Package Index to target macOS devices with the Sliver C2 adversary framework, used for gaining initial access to corporate networks. Discovered by Phylum, the campaign involves ...
5 months ago Bleepingcomputer.com
Malicious NPM, PyPI Packages Stealing User Information - Check Point and Phylum are warning of recently identified NPM and PyPI packages designed to steal user information and download additional payloads. Taking advantage of the broad use of open source code in application development, malicious actors ...
1 year ago Securityweek.com
New PyPI Malware Poses as Crypto Wallet Tools to Steal Private Keys - The cybersecurity researchers at Checkmarx uncovered a series of new supply chain attacks that exploited the Python Package Index (PyPI) in September 2024 using malicious packages to target cryptocurrency wallets. These packages identified as ...
1 month ago Hackread.com
East Texas hospital network can't receive ambulances because of potential cybersecurity incident - GetTime();if(!(u<=a&&d<=l throw new RangeError("Invalid interval");return r.inclusive?u<=l&&d<=a:ut||isNaN(t. Step):1;if(s<1||isNaN(s throw new RangeError("`options. Step):1;if(l<1||isNaN(l throw new RangeError("`options. GetTime()<=n throw new ...
11 months ago Cnn.com
New Supply Chain Attack Leveraging Python Package Index Targeting Wacatac Trojan - A new supply chain attack has recently been detected targeting Python Package Index (PyPI) users with the Wacatac Trojan. This attack is seen as the latest in a series of advanced persistent threats (APT) targeting the escalating use of Python in ...
1 year ago Securityweek.com
Checkmarx Report Surfaces Software Supply Chain Compromises - Checkmarx published an inaugural monthly report this week that finds 56% of the attacks against software supply chains that it analyzed resulted in the theft of credentials and confidential data. More than a quarter of attacks employed some form of ...
8 months ago Securityboulevard.com
ChatGPT Extensions Could be Exploited to Steal Data and Sensitive Information - API security professionals Salt Security have released new threat research from Salt Labs highlighting critical security flaws within ChatGPT plugins, presenting a new risk for enterprises. Plugins provide AI chatbots like ChatGPT access and ...
7 months ago Itsecurityguru.org
macOS Malware Mix & Match: North Korean APTs Stir Up Fresh Attacks - North Korean advanced persistent threat groups are mixing and matching components of two recently unleashed types of Mac-targeted malware to evade detection and fly under the radar as they continue their efforts to conduct operations at the behest of ...
11 months ago Darkreading.com
Malicious PyPI packages targeting highly specific MacOS machines - As part of our software package supply chain security efforts, we continuously scan for malware in newly released PyPI and NPM packages. In this post, we describe a particularly interesting cluster of malicious packages that we've identified. In late ...
5 months ago Securitylabs.datadoghq.com
Year in Malware 2023: Recapping the major cybersecurity stories of the past year - Botnets kept coming back from the dead, ransomware actors found new ways to make money through data theft extortion and threat actors and malware who have been around for more than a decade find ways to stay relevant. After Microsoft blocked macros ...
10 months ago Blog.talosintelligence.com
Attackers Finding Novel Ways to Abuse GitHub: ReversingLabs - Threat actors are finding new ways to take advantage of GitHub in hopes of tricking developers into putting malicious code into their software and sending to users downstream, according to researchers with ReversingLabs. Code repositories like GitHub ...
10 months ago Securityboulevard.com
Understanding the New SEC Rules for Disclosing Cybersecurity Incidents - The U.S. Securities and Exchange Commission recently announced its new rules for public companies regarding cybersecurity risk management, strategy, governance, and incident exposure. "Currently, many public companies provide cybersecurity disclosure ...
11 months ago Feeds.dzone.com
TikTok Removes Russian Propaganda Networks - TikTok removes hundreds of thousands of fake accounts spreading Russian propaganda and seeking to weaken Western support for Ukraine. TikTok said it has removed hundreds of thousands of fake Russian-operated accounts that targeted users in Europe, ...
10 months ago Silicon.co.uk
It's Time to Tear Down the Barriers Preventing Effective Threat Intelligence - Today, organizations are confronted with a deluge of cyber threats, ranging from sophisticated AI-powered ransomware to tried and true brute force attacks. At this point, IT security teams know it's essential to stay one step ahead of cybercriminals, ...
9 months ago Cyberdefensemagazine.com
Trouble in Da Hood: Malicious Actors Use Infected PyPI Packages to Target Roblox Cheaters | Imperva - In recent research on compromised and malicious PyPI packages, Imperva Threat Research has identified an ongoing malware campaign specifically targeting Roblox hackers. Over time, vast communities have assembled on various platforms such as Reddit, ...
1 month ago Imperva.com
Chinese APT 'Earth Krahang' Compromises 48 Gov't Orgs on 5 Continents - A previously unidentified Chinese espionage group has managed to breach at least 70 organizations across 23 countries, including 48 in the government space, despite using rather standard-fare tactics, techniques, and procedures. Fitting such a ...
7 months ago Darkreading.com
Three New Malicious PyPI Packages Deploy CoinMiner on Linux Devices - Affected platforms: LinuxAffected parties: Linux users that have these malicious packages installedImpact: Latency in device performanceSeverity level: High. On December 5th, 2023, FortiGuard's AI-driven OSS malware detection system identified three ...
10 months ago Feeds.fortinet.com
Hospitality Industry Faces New Password-Stealing Malware - Cybersecurity researchers have uncovered a novel targeted malspam operation deploying password-stealing malware. The campaign was discovered by Sophos X-Ops and described in an advisory published today. According to the report, the attackers employed ...
10 months ago Infosecurity-magazine.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)