Malware focused on stealing banking information and credentials from instant messengers like Discord would have been downloaded more than 30,000 times from the official repository of the Python programming language, PyPI. The plague was divided into eight packages made publicly available by criminals for use in legitimate solutions.
It would be from them that the pests would gain access to the victims’ computers and servers, with the disguise helping to hide the activities of security systems. According to JFrog experts responsible for the discovery, this type of vulnerability could easily lead to attacks against the supply chain, when malware is hidden inside legitimate solutions that are free to work, without protection devices understanding their actions as malicious.
According to the researchers, the malware was taken down as soon as the repository administration was notified. Still, there is no way of knowing if it is already being used in software development projects, which may eventually reach legitimate systems. Hence the warning, with JFrog also releasing a list of malicious packages to stop being used by developers.
Once up and running, the malware uses the obfuscation provided by legitimate software to read password saving systems in browsers. From there, access credentials to banking systems and Discord messenger, widely used by the gaming community are obtained — the same application is also used by the attack to upload data to remote servers, controlled by the responsible criminals.
According to the researchers, the main focus of action of the campaign were the passwords stored in Edge and Google Chrome browsers. Therefore, developers who eventually work with Python and such packages, the recommendation is to evaluate the passwords registered in the browsers and perform the immediate exchange, as well as other credentials that have been shared in other services. Stored cards must be cancelled.
JFrog also turns its eyes to PyPI moderation, indicating that this is by no means the first time that malicious packages have been published in the official repository of the programming language. The idea of downloading solutions from an official marketplace brings an appearance of legitimacy, with experts saying that those responsible need to be more careful about approving what is posted there.
In June, for example, cryptocurrency miners were found among the solutions available on the marketplace, while May was the month for the detection of dozens of solutions related to the distribution of spam. According to experts, at least half of the applications that are made available in the official Python library may have security issues, from moderate to severe.
According to the researchers, software that was created from the malicious packages could pass simple security checks, but more advanced protection solutions will block its use or indicate to administrators that there may be a problem with the software. Experts urge those responsible not to ignore such warnings and pay attention to the codes that are in place.