Experts discover +451 clipper malware-laced packages in PyPI repSecurity Affairs

Threat actors have published more than 451 unique malware-containing Python packages in the official Python Package Index (PyPI) repository.

Phylum researchers found more than 451 unique Python packages in the official Python Package Index (PyPI) repository in an attempt to deliver Clipper malware to developer systems.

According to experts, this activity is still ongoing and Malicious Campaign It was discovered in November 2022.

Threat actors mistyped several key packages on PyPI, such as:

bitcoinlib
ccxt
cryptocompare
cryptofeed
freqtrade
selenium
solana
vyper
websockets
yfinance
pandas
matplotlib
aiohttp
beautifulsoup
tensorflow
selenium
scrapy
colorama
scikit-learn
pytorch
pygame
pyinstaller

Researchers report that attackers are attempting to register the same code for every possible simple typo in the package name. This process is simple and easy to automate.

Phylum noted that the obfuscation techniques used in these packages are significantly different from the ones they found in November 2022.

After installing the malicious package, a JavaScript file is dropped onto the system and runs in the background of every web browsing session, allowing developers to replace cryptocurrency addresses with the attacker’s address each time they are copied.

“Ultimately, this code is trying to match exactly what we found in November. blog post It silently replaces the cryptocurrency wallet address copied to the user’s clipboard with a wallet address controlled by the attacker.” reads analyze Published by Phylum. “I do this by creating a browser extension and then writing the following JavaScript in that extension.”

The malware establishes persistence by instructing the developer’s browser to load this extension each time the browser is opened.

The Clipper malware targets popular web browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. The malware modifies browser shortcuts to load extensions by launching the software with the “–load-extension” command line.

“The attacker has significantly increased space on pypi through automation. Flooding the ecosystem with packages like this will continue.” The report concludes. “The use of Chinese characters, or any other Unicode plane for that matter, is a misdirection that is easy to detect and ignore.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(security work – hacking, clipper malware)

Source

Experts discover +451 clipper malware-laced packages in PyPI repSecurity Affairs

Threat actors have published more than 451 unique malware-containing Python packages in the official Python Package Index (PyPI) repository.

share

CISO to BISO – What’s your next role?

Apple ships that recent “Rapid Response” spyware patch to everyone, fixes a second zero-day – Naked Security

A flaw in OpenSSH forwarded ssh-agent allows remote code executionSecurity Affairs

Experts warn of OSS supply chain attacks on the banking sectorSecurity Affairs

CISO to BISO – What’s your next role?

Apple ships that recent “Rapid Response” spyware patch to everyone, fixes a second zero-day – Naked Security

A flaw in OpenSSH forwarded ssh-agent allows remote code executionSecurity Affairs

Experts warn of OSS supply chain attacks on the banking sectorSecurity Affairs

Editor Picks

Analyzing The Security Challenge of Hybrid and Remote Working Models

Compromised WordPress sites launch DDoS on Ukrainian websitesSecurity Affairs

Cryptocurrency Exchange BTC.com Suffers Massive Cyber Attack

Must read

18 cybersecurity startups to watch

Microsoft’s Autopatch feature improves the patch management processSecurity Affairs

Not Feeling it Tonight? Here’s The Ultimate List of Safe Porn Sites.

Popular categories