CyberSecurity news
FlagThis - #pypi
|
Mandvi@Cyber Security News
//
Cybersecurity researchers have recently identified several malicious Python packages on the Python Package Index (PyPI) repository that were designed to steal sensitive information, particularly credit card details and cryptocurrency-related data. These packages, downloaded over 39,000 times before their removal, demonstrate an increasing threat to software supply chains and the vulnerability of developers relying on open-source repositories. The malicious packages targeted both e-commerce platforms and cryptocurrency users, employing various techniques to evade detection and compromise sensitive data.
The most prevalent of these packages, "disgrasya," which translates to 'accident' or 'disaster' in Filipino, was downloaded over 34,000 times and functioned as a fully automated carding toolkit. This package specifically targeted WooCommerce stores integrated with CyberSource payment gateways, automating the process of validating stolen credit card information. It emulated legitimate shopping activity, programmatically adding items to a cart, navigating to the checkout page, and filling out the payment form, effectively bypassing fraud detection systems. Stolen card data, including numbers, expiration dates, and CVVs, was then exfiltrated to an external server controlled by the attacker. Two other packages, "bitcoinlibdbfix" and "bitcoinlib-dev," masqueraded as fixes for issues in the legitimate "bitcoinlib" Python module. These packages attempted to overwrite the 'clw cli' command with malicious code designed to steal sensitive database files, potentially compromising cryptocurrency wallets and transactions. Researchers noted that the authors of these counterfeit libraries even engaged in GitHub issue discussions, attempting to trick users into downloading and running the malicious code. The discovery of these packages highlights the ongoing need for robust security measures and vigilance within the open-source software ecosystem. Recommended read:
References :
Bill Toulas@BleepingComputer
//
A malicious Python package, "disgrasya," has been discovered on the Python Package Index (PyPI) repository, posing a significant threat to e-commerce platforms. The package, which translates to "disaster" in Filipino slang, contains a fully automated carding script specifically designed to target WooCommerce stores that utilize the CyberSource payment gateway. This malicious tool allows attackers to test stolen credit card information against live e-commerce payment systems, streamlining the process of identifying valid cards for fraudulent activities. Unlike typical supply chain attacks, "disgrasya" made no attempt to conceal its malicious intent, openly serving as a distribution mechanism for fraudsters.
The "disgrasya" package automates the entire carding workflow, mimicking legitimate customer behavior to bypass fraud detection systems. The script starts by identifying a product on the targeted WooCommerce store and simulates adding items to the cart. It then gathers security tokens and proceeds to tokenize stolen credit card data using CyberSource's mechanisms, submitting it through WooCommerce's checkout endpoints. If the card is valid, the attacker receives confirmation without triggering typical fraud prevention measures like CAPTCHAs. Alarmingly, the script also exfiltrates stolen card data, including numbers, expiration dates, CVVs, and tokenized representations, to an external server controlled by the attacker. Before its discovery and removal from PyPI, "disgrasya" was downloaded over 37,217 times, highlighting the scale of the potential threat. This widespread distribution suggests that the tool may already be in active use across numerous fraud campaigns, posing a growing financial risk to businesses. The carding attack facilitated by "disgrasya" contributes to the rising costs of online payment fraud, which is estimated to cost merchants over $362 billion globally between 2023 and 2028. Security measures such as monitoring traffic patterns, implementing CAPTCHAs, and rate limiting on checkout and payment endpoints can help mitigate the threat posed by "disgrasya" and similar malicious packages. Recommended read:
References :
Samarth Mishra@cysecurity.news
//
A malicious Python package named 'set-utils' has been discovered on the Python Package Index (PyPI) repository. This package is designed to steal Ethereum private keys by exploiting commonly used account creation functions. Disguised as a utility for Python sets, the package mimics popular libraries, tricking developers into installing it. Since its appearance, 'set-utils' has been downloaded over 1,000 times, posing a significant threat to Ethereum users and developers, particularly those working with Python-based wallet management libraries. The Python security team has removed the malicious package from PyPI.
The 'set-utils' package operates by silently modifying standard Ethereum wallet creation functions. The private keys are exfiltrated within blockchain transactions via the Polygon RPC endpoint to resist traditional detection efforts. The stolen keys are encrypted using an attacker-controlled RSA public key before transmission, making detection challenging. Even if the package is uninstalled, any Ethereum wallets created while it was active remain compromised. To mitigate these risks, developers should employ regular dependency audits and automated scanning tools to detect malicious behaviors in third-party packages. Recommended read:
References :
@Talkback Resources
//
Millions of WordPress websites face potential script injection attacks due to a critical vulnerability found in the Essential Addons for Elementor plugin, which is installed on over 2 million sites. The flaw, identified as CVE-2025-24752 with a high severity score of 7.1, allows attackers to execute reflected cross-site scripting (XSS) attacks. This is achieved by exploiting insufficient input sanitization within the plugin's password reset functionality, specifically through malicious URL parameters.
A fake WordPress plugin has also been discovered injecting casino spam, impacting website SEO. In a separate incident, cybersecurity researchers have flagged a malicious Python library on the PyPI repository, named 'automslc', which facilitates over 100,000 unauthorized music downloads from Deezer. The package bypasses Deezer's API restrictions by embedding hardcoded credentials and communicating with an external command-and-control server, effectively turning user systems into a botnet for music piracy. Recommended read:
References :
@www.helpnetsecurity.com
//
References:
www.helpnetsecurity.com
, Help Net Security
Two malicious Python packages, named "deepseeek" and "deepseekai", were recently discovered on the Python Package Index (PyPI). These packages were designed to mimic client libraries for the DeepSeek AI API. However, researchers found that they contained malicious code intended to collect user and computer data, as well as environment variables that could expose sensitive information like API keys and database credentials. The packages were quickly reported to and quarantined by PyPI administrators, but were downloaded 36 times in their brief availability.
These malicious packages used Pipedream, an integration platform, as a command-and-control server to receive stolen data. The incident highlights the increasing trend of attackers exploiting the popularity of AI tools like DeepSeek and the growing use of AI in creating malicious payloads. Researchers advise developers to exercise caution when using newly released packages, especially those posing as wrappers for popular services, and to verify the authenticity of software packages before installation. Recommended read:
References :
info@thehackernews.com (The Hacker News)@The Hacker News
//
PyPI (Python Package Index) has launched a new 'Project Archival' feature, empowering maintainers to mark projects as archived. This signals to users that these projects are no longer actively maintained or expected to receive updates, including crucial security fixes. While archived projects remain installable, the new status alerts developers to the risk of relying on unmaintained packages, thereby promoting more responsible dependency management. Maintainers can archive projects via their settings page on PyPI, prompting a prominent notice to appear on the project's main page.
The new archival system seeks to improve supply chain security by explicitly communicating the maintenance status of projects. This builds on PyPI's existing "project quarantine" framework introduced in late 2024, which allows administrators to mark suspicious projects and prevent their installation. By enabling maintainers to clearly denote the state of archived projects, this feature enhances visibility into the lifecycle of packages. PyPI recommends that package developers release a final version before archiving, including a detailed update in the project description to provide additional context about its status. The archival process is reversible, giving project owners the option to resume maintenance if desired. As part of broader efforts to enhance project lifecycle management within PyPI, further project status labels such as "deprecated" or "unmaintained" may be introduced, along with updates to PyPI's public APIs to allow for easier retrieval of project status information. The goal is to provide a more structured and informative ecosystem for Python developers. Recommended read:
References :
|