Python Repository Infiltrated: Malicious Packages Install on Windows

In a recent discovery, cybersecurity researchers have unearthed malevolent packages within the Python Package Index (PyPI), an open-source repository, distributing an information-stealing malware named WhiteSnake Stealer on Windows operating systems. The identified malware-infested packages, including nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111, were uploaded by a threat actor known as “WS.”

The researcher conducted a comprehensive analysis, revealing that these packages integrate Base64-encoded source code of PE or other Python scripts within their setup.py files. Upon installation, the final malicious payload is executed on the victim’s device, contingent on its operating system.

Notably, the WhiteSnake Stealer primarily targets Windows systems, while compromised Linux hosts receive a Python script designed for information harvesting. This campaign’s modus operandi aligns with a previous disclosure by JFrog and Checkmarx from the preceding year.

The Windows-specific payload is identified as a variant of the WhiteSnake malware with Anti-VM mechanisms, communication with a C&C server via the Tor protocol, and capabilities for information theft and command execution. The malware is adept at capturing data from web browsers, cryptocurrency wallets, and various applications, such as WinSCP, CoreFTP, Windscribe, Filezilla, AzireVPN, Snowflake, Steam, Discord, Signal, and Telegram.

The researcher is closely monitoring the threat actor behind this campaign, referred to as PYTA31, with an ultimate goal of exfiltrating sensitive data, particularly crypto wallet information. Some of the recently published rogue packages have also been observed incorporating clipper functionality, overwriting clipboard content with attacker-owned wallet addresses to facilitate unauthorized transactions. Additionally, certain packages are configured to pilfer data from browsers, applications, and crypto services, underscoring the severity and multifaceted nature of this cybersecurity threat.

To fortify defenses against the threat of malicious Python packages, users and organizations alike should exercise caution when installing packages from the PyPI repository. Verifying the legitimacy of package sources and relying on well-established, reputable packages can help minimize the risk of encountering malicious code. Additionally, organizations should consider implementing network security measures to monitor and filter potentially malicious traffic.