26 malicious packages were found in the PyPI (Python Package Index) catalog containing obfuscated code in the setup.py script that determines the presence of crypto wallet identifiers in the clipboard and changes them to the attacker's wallet (it is assumed that when making a payment, the victim will not notice that the transferred through the clipboard exchange wallet number is different).
The substitution is performed by a JavaScript script that, after installing the malicious package, is embedded in the browser in the form of a browser add-on that is executed in the context of each web page viewed. The add-on installation process is tied to the Windows platform and is implemented for Chrome, Edge and Brave browsers. Supports substitution of wallets for cryptocurrencies ETH, BTC, BNB, LTC and TRX.
Malicious packages are disguised in the PyPI directory as some popular libraries using typesquatting (assigning similar names that differ in individual characters, for example, exampl instead of example, djangoo instead of django, pyhton instead of python, etc.). Since the created clones completely repeat legitimate libraries, differing only in a malicious insert, attackers rely on inattentive users who made a typo and did not notice differences in the name when searching. Taking into account the popularity of the original legitimate libraries (the number of downloads exceeds 21 million copies per day), which are disguised as malicious clones, the probability of catching a victim is quite high, for example, an hour after the publication of the first malicious package, it was downloaded more than 100 times.
It is noteworthy that a week ago, the same group of researchers identified 30 other malicious packages in PyPI, some of which also disguised themselves as popular libraries. During the attack, which lasted about two weeks, the malicious packages were downloaded 5700 times. Instead of a script to replace crypto wallets in these packages, a typical W4SP-Stealer component was used, which searches the local system for saved passwords, access keys, crypto wallets, tokens, session cookies and other confidential information, and sends the found files via Discord.
The call to W4SP-Stealer was made by substituting the "__import__" statement in the setup.py or __init__.py files, which was separated by a large number of spaces, in order to make the __import__ call outside the visible area in the text editor. In the "__import__" block, the block was decoded in Base64 format and written to a temporary file. The block contained a script to download and install the W4SP Stealer on the system. Instead of the "__import__" expression, the malicious block was connected in some packages by installing an additional package by calling "pip install" from the setup.py script.
Identified malicious packages that replace crypto wallet numbers:
- baeutifulsoup4
- beautifulsup4
- cloorama
- cryptograpyh
- scripting
- djangoo
- hello world example
- hello world example
- ipyhton
- mail-validator
- mysql-connector-pyhton
- notebook
- pyautogiu
- pygaem
- pythorhc
- python-dateuti
- python-flask
- python3-flask
- pyyalm
- rqueests
- slenium
- sqlachemy
- sqlalcemy
- tkniter
- urllib
Identified malicious packages that send sensitive data from the system:
- typesutil
- typesstring
- sutiltype
- duonet
- fatnoob
- strinfer
- pydprotect
- incrivelsim
- twine
- pyptext
- installpy
- faq
- colorwin
- requests-httpx
- colorsama
- shaasigma
- tightens
- felpesviadinho
- cypress
- poyte
- pyslyte
- vertical
- pyrurllib
- algorithmic
- ol
- hello
- curlapi
- type-color
- pyhints
Source: opennet.ru