Over the past six months, a progressively intricate malicious campaign has come to light, which has been surreptitiously placing info-stealing packages on open-source platforms, amassing approximately 75,000 downloads.
Analysts from Checkmarx’s Supply Chain Security team have been closely monitoring this campaign since early April, uncovering a total of 272 packages designed to pilfer sensitive data from targeted systems.
This attack has demonstrated considerable evolution since its initial identification, with the authors of these packages continually enhancing their obfuscation layers and deploying techniques to avoid detection.
The researchers note that they started observing this pattern “within the Python ecosystem beginning in early April 2023.”
For instance, one revealing aspect is the behavior of the “_init_py” file, which only activates after verifying that it is operating on a target system and not within a virtualized environment, a characteristic often indicative of a malware analysis host.
Moreover, this malware exhibits the ability to capture screenshots and filch specific files from the compromised system, including those from directories such as Desktop, Pictures, Documents, Music, Videos, and Downloads.
Continuously monitoring the victim’s clipboard for cryptocurrency addresses, the malware then replaces them with the attacker’s address, effectively diverting payments to wallets under their control.
Estimations by the analysts suggest that this campaign has directly siphoned off approximately $100,000 in cryptocurrency.
This discovery serves as a stark reminder that open-source communities and developer ecosystems remain vulnerable to supply chain attacks. Threat actors routinely upload malicious packages to widely utilized repositories and version control systems, including GitHub and package registries such as PyPi and NPM.
To safeguard against such threats, users are strongly urged to exercise caution, thoroughly scrutinizing the projects and package publishers they trust, and maintaining vigilance against typosquatting package names.