Malicious Packages Found in Python Package Index (PyPI)
Enterprotect, a leading cybersecurity company, would like to bring to your attention a new threat that has recently surfaced. Malicious packages have been discovered on the Python Package Index (PyPI) that can steal passwords, authentication cookies, and cryptocurrency wallets from developers. This advisory is designed to provide technical details on the threat, explain why it is noteworthy, and outline the exposure and risk to those who may be affected. Additionally, we will provide some recommendations on how to protect yourself and your organization from these types of attacks.
What is the Threat?
Over the past year, numerous malicious packages have been uploaded to open-source repositories under names that appear legitimate. Between January 27 and January 29, 2023, a threat actor uploaded five malicious packages containing the “W4SP Stealer” malware to PyPI. The information-stealing malware, identified in these packages by BleepingComputer, steals data from web browsers at first, then attempts to steal authentication cookies from Discord and other similar programs. Finally, the malware will try to steal cryptocurrency wallets and cookies.
It is important to note that these packages have been given legitimate-sounding names, so developers may be more likely to download them. Developers should always exercise caution when downloading any packages from open-source repositories. They should also perform additional research and verification to ensure that the package is legitimate.
Why is it Noteworthy?
Supply chain attacks, like the one we are currently facing with the PyPI, are expected to continue to increase in the future. Gartner predicts that by 2025, 45 percent of organizations worldwide will have experienced attacks on their software supply chains, three times as many as in 2021. In addition to PyPI, attackers have targeted other code repositories like GitHub and companies like CircleCI, a provider of continuous integration/continuous delivery (CI/CD). Repositories such as GitHub and PyPI are immensely popular among developers; there are 100 million GitHub users and 400,000 packages on PyPI.
What is the Exposure or Risk?
If a malicious package enters a popular repository, it can be downloaded by many different developers before being discovered and remediated. Any developer that uses open-source package repositories could be vulnerable to these types of attacks. It is of the utmost importance to analyze the code in packages before adding them to projects.
In addition to the risk of data theft, developers who download malicious packages can also unknowingly install a backdoor on their system. This type of malware can give the attacker remote access to the system, allowing them to execute malicious code and potentially spread to other systems on the network.
What are the Recommendations?
Enterprotect recommends that developers and organizations take the following actions to protect themselves from this and other supply chain attacks:
Implement strict code review processes - Before adding any package to a project, developers should carefully review the code to ensure that it is legitimate.
Use multiple sources for verification - Developers should never rely solely on one source for package verification. Multiple sources, such as a security team, a trusted community, and third-party security software should be used to validate the code.
Maintain awareness of package repository updates - Developers should stay up-to-date with the latest security news, including any new package repository updates, and implement these updates as soon as possible.
Implement security measures for all packages - It is recommended that developers implement security measures for all packages they use. These measures can include validating digital signatures, verifying package checksums, and enforcing package and version lockdowns.
Use security tools - Implementing security tools such as intrusion detection systems and antivirus software can provide an additional layer of protection against supply chain attacks.
Use secure coding practices - Developers should also use secure coding practices to help prevent malicious code from being introduced into their projects. This includes practices like input validation, proper error handling, and using parameterized queries in database interactions.
Maintain regular backups - In case of a supply chain attack, regular backups of code and data can be a crucial tool in restoring systems to their pre-attack state.
Educate developers and end-users - It is essential to educate developers and end-users about the risks associated with supply chain attacks. Education can help raise awareness and reduce the likelihood of attacks.
Maintain a security posture - Organizations should maintain a security posture by keeping software up to date, implementing regular vulnerability scans, and maintaining strong password policies.
In conclusion, it is vital for developers and organizations to remain vigilant and take proactive measures to protect themselves against supply chain attacks. By implementing strict code review processes, using multiple sources for verification, and maintaining awareness of package repository updates, organizations can reduce their risk of being compromised by these types of attacks.
References
CISA. (2021). ESF Securing the Software Supply Chain for Developers. Retrieved from https://www.cisa.gov/us-cert/publications/esf-securing-software-supply-chain-developers
The Hacker News. (2023, February 1). Researchers Uncover Obfuscated Python-based Cryptomining Malware. Retrieved from https://thehackernews.com/2023/02/researchers-uncover-obfuscated.html
Gartner. (2022, January 7). 7 Top Trends in Cybersecurity for 2022. Retrieved from https://www.gartner.com/en/articles/7-top-trends-in-cybersecurity-for-2022
BleepingComputer. (2023, February 1). Devs Targeted by W4SP Stealer Malware in Malicious PyPI Packages. Retrieved from https://www.bleepingcomputer.com/news/security/devs-targeted-by-w4sp-stealer-malware-in-malicious-pypi-packages/