Phylum has published information about the discovery of an attack based on placing infected packages in the PyPI (Python Package Index). These packages contain a code responsible for downloading malicious browser extensions to seize cryptocurrency transactions. This attack used the ‘Clipper’ Malware, which we have written about in the past – the Laplas Clipper.
The attackers used typosquatting technique. That is deliberately writing a name with a typo to confuse the victim. The attackers targeted the following packages: aiohttp, beautifulsoup, bitcoinlib, ccxt, colorama, cryptocompare, cryptofeed, freqtrade, matplotlib, pandas, pygame, pyinstaller, pytorch, scikit-learn, scrapy, selenium, solana, tensorflow, vyper, websockets, yfinance. Each was mentioned 13-38 times, using many possible typos.
Chinese ideograms were also used to obscure the code. At first glance, the code seems complicated, but it is not hard to crack at all. Additionally, the presence of unusual characters in the code should draw attention to the fact that something may be wrong.
Running the malicious code creates a browser extension with JavaScript code that looks through the contents of the clipboard. Next, the browser shortcuts are searched for: Google Chrome, Microsoft Edge, Opera and Brave – and modified so that the newly created extension is loaded automatically when the browser is launched. This way, the malicious code constantly monitors the contents of the victim’s clipboard. If a copied cryptocurrency wallet address is detected, the contents of the clipboard are swapped with one of several attacker’s wallet addresses that were included in the code.
Recently, there was an increasing number of reports of malicious code detected in packages in the PyPI repository. Here are some examples observed since the beginning of this year:
- W4SP Stealer [1] – stealing passwords, authentication cookies, and cryptocurrency wallets
- Lolip0p [2] – downloading malware that steals information
- aptx, bingchilling2, httops and tkint3rs [3] – malware downloading, SSH authorized_keys file manipulation, netstat removal
Due to the popularity of this coding language and the convenience that comes from using ready-made packages, inattentive developers have become easy targets. Using untested packages can cause great danger to any project, so we need to pay more attention to each tool we use.
How to protect yourself from such threats?
- Double-check for typos – then typosquatting won’t be a threat.
- Use test environments.
- Hash verification.
- Verification of the user who posted the code to the repository (date of account creation, other projects).
- Verification of the code – this is time-consuming, but even a cursory check can be effective (as it was in the case described above, where Chinese characters were noticed).
We also encourage you to read the article about safe use of PyPI.
We would also like to remind you that the principles of security and moderate trust do not apply only to Python. Regardless of the coding language used, one should be careful when using publicly available repositories.
Sources:
[1] Devs targeted by W4SP stealer malware in malicious PyPi packages
[2] Malicious ‘Lolip0p’ PyPi packages install info-stealing malware
[3] Researchers Uncover Obfuscated Malicious Code in PyPI Python Packages
