CyberSecurity news

FlagThis - #pypi

@securebulletin.com //
A concerning trend of hackers exploiting open-source software supply chains has been identified, with malicious backdoors being planted in Python and NPM packages. Security researchers at Checkmarx Zero have uncovered a sophisticated campaign where attackers are using typosquatting and name-confusion tactics to trick users into downloading harmful software. This cross-ecosystem approach targets both Windows and Linux systems, deploying multi-platform payloads with the capability to steal data and establish remote control. These findings highlight the growing need for enhanced security measures within open-source ecosystems to combat supply chain attacks.

This campaign leverages the Python Package Index (PyPI) and Node Package Manager (NPM) by mimicking legitimate software. Specifically, the attack targeted users of "colorama," a popular Python tool, and "colorizr," a similar JavaScript package, by uploading packages with names like "coloramapkgs" and "colorizator". The malicious packages carry dangerous payloads designed to give attackers remote access and control, allowing them to harvest and exfiltrate sensitive data. On Windows systems, the malware attempts to bypass antivirus software, while on Linux, it establishes encrypted connections, steals information, and maintains a hidden presence.

Fortunately, the identified malicious packages have been removed from public software repositories, limiting their immediate potential for damage. However, the lack of clear attribution data makes it difficult to trace the campaign back to a known adversary. Vet, an open-source tool designed to help developers and security engineers spot risks in their software supply chains, goes beyond traditional software composition analysis by detecting known vulnerabilities and flagging malicious packages. It supports ecosystems like npm, PyPI, Maven, Go, Docker, and GitHub Actions, assisting in the detection of supply chain attacks.

Recommended read:
References :
  • ciso2ciso.com: News and insights for CISOs from CISO2CISO.
  • cyberpress.org: PyPI Supply Chain Attacks Hit Python and NPM Users on Windows and Linux, according to CyberPress.
  • hackread.com: Hackread reports on Backdoors in Python and NPM Packages Target Windows and Linux.
  • securityonline.info: Stealthy npm supply chain attack using typosquatting leads to remote code execution and data destruction.
  • Cyber Security News: PyPI Supply Chain Attacks Hit Python and NPM Users on Windows and Linux
  • The Hacker News: Malicious PyPI, npm, and Ruby Packages Exposed in Ongoing Open-Source Supply Chain Attacks
  • securebulletin.com: Sophos exposes massive GitHub campaign distributing backdoored malware

@socket.dev //
A malicious Python package named 'discordpydebug' has been discovered on the Python Package Index (PyPI) repository, posing a significant threat to Discord developers. The package, disguised as a simple utility for debugging Discord bots, actually contains a remote access trojan (RAT). This RAT allows attackers to execute commands and exfiltrate data from infected systems via a covert command-and-control (C2) channel. The 'discordpydebug' package was uploaded on March 21, 2022, and has since been downloaded over 11,000 times, putting numerous developer systems at risk.

The 'discordpydebug' package targets developers who build or maintain Discord bots. The attackers took advantage of the fact that PyPI doesn't enforce strict security audits, misleading developers with a legitimate-sounding name and copying code from popular projects to appear trustworthy. The package establishes communication with an attacker-controlled server at "backstabprotection.jamesx123.repl[.]co", and includes features to read and write arbitrary files based on commands received from the server, along with the ability to run shell commands.

The simplicity of the RAT is what makes it effective. The package avoids inbound connections, instead opting for outbound HTTP polling to bypass firewalls and security monitoring tools, especially in less controlled development environments. This discovery highlights the increasing danger of software supply chain attacks and the importance of vigilance when installing packages from open-source repositories. The Socket Research Team urges developers to be cautious and scrutinize any third-party tools or code snippets shared within the Discord developer community.

Recommended read:
References :
  • socket.dev: Malicious PyPI Package Targets Discord Developers with Remote Access Trojan
  • The Hacker News: Researchers Uncover Malware in Fake Discord PyPI Package Downloaded 11,500+ Times
  • www.scworld.com: RAT-laced PyPI package sets sights on Discord developers
  • thecyberexpress.com: Article highlighting the malicious discord developer package and its purpose
  • Security Risk Advisors: Malicious PyPI package "discordpydebug" targets Discord developers with remote access trojan. Over 11K downloads enables arbitrary command execution and data theft.
  • www.bleepingcomputer.com: Malicious Python package targeting Discord developers with remote access trojan (RAT) malware was spotted on the Python Package Index (PyPI) after more than three years.

securebulletin.com@Secure Bulletin //
Attackers are increasingly turning to trusted services like Gmail and Google APIs to create stealthy command-and-control (C2) channels. This tactic allows them to mask malicious activities within legitimate network traffic, making detection and mitigation significantly harder. By leveraging platforms like Gmail and Google Drive, threat actors can embed their communications within encrypted channels provided by reputable services, bypassing many traditional security measures. These communications are encrypted by Gmail’s TLS, further complicating detection efforts.

A recent investigation by Socket's Threat Research Team uncovered a campaign using malicious Python packages to establish covert tunnels via Gmail’s SMTP protocol, enabling attackers to exfiltrate data and execute remote commands undetected. Seven malicious PyPI packages, operating under the "Coffin Codes" theme, were found abusing Gmail's SMTP servers and WebSockets for data exfiltration and remote command execution. These packages, once installed, establish an encrypted connection to Gmail’s SMTP server using hardcoded credentials, sending signals and critical information to attacker-controlled email addresses.

The identified packages include Coffin-Codes-Pro, Coffin-Codes-NET2, Coffin-Codes-NET, Coffin-Codes-2022, Coffin2022, Coffin-Grave, and cfc-bsb. While the packages have been removed from PyPI, one of them was downloaded over 18,000 times before removal. The most advanced variants of the packages also establish outbound WebSocket connections, enabling attackers to issue commands, transfer files, and potentially gain deeper access into the victim's network. This highlights the ongoing risks posed by supply chain attacks and the exploitation of trusted cloud services.

Recommended read:
References :
  • securityonline.info: Malicious Python Packages Exploited Gmail as Covert Command-and-Control Channels
  • BleepingComputer: Malicious PyPI packages abuse Gmail, websockets to hijack systems
  • bsky.app: Seven malicious PyPi packages were found using Gmail's SMTP servers and WebSockets for data exfiltration and remote command execution.
  • bsky.app: Socket Security has spotted seven malicious PyPI packages that use Gmail SMTP servers as tunnels to infected systems
  • socket.dev: Packages use Gmail, making these attempts less likely to be flagged by firewalls and endpoint detection systems since SMTP is commonly treated as legitimate traffic.
  • securityonline.info: Malicious Python Packages Exploited Gmail as Covert Command-and-Control Channels
  • Cyber Security News: Seven Malicious Packages Exploit Gmail SMTP to Execute Harmful Commands
  • gbhackers.com: Seven Malicious Packages Exploit Gmail SMTP to Run Harmful Commands
  • Virus Bulletin: Socket’s Threat Research Team uncovered malicious Python packages designed to create a tunnel via Gmail. These seven packages: use Gmail, making these attempts less likely to be flagged by firewalls and endpoint detection systems since SMTP is commonly treated as legitimate traffic.
  • gbhackers.com: Seven Malicious Packages Exploit Gmail SMTP to Run Harmful Commands
  • cyberpress.org: Seven Malicious Packages Exploit Gmail SMTP to Execute Harmful Commands
  • socket.dev: Using Trusted Protocols Against You: Gmail as a C2 Mechanism
  • Secure Bulletin: In the ever-evolving landscape of cybersecurity, attackers are increasingly exploiting trusted services to establish covert command-and-control (C2) channels.
  • securebulletin.com: Hijacking Trust: how Gmail and Google APIs are being weaponized for stealthy C2 channels
  • bsky.app: Socket Security has spotted seven malicious PyPI packages that use Gmail SMTP servers as tunnels to infected systems
  • Davey Winder: Gmail Warning As Data-Stealing Hacker Tunnel Confirmed
  • Cyber Security News: 7 Malicious PyPI Packages Abuse Gmail’s SMTP Protocol to Execute Malicious Commands

Mandvi@Cyber Security News //
Cybersecurity researchers have recently identified several malicious Python packages on the Python Package Index (PyPI) repository that were designed to steal sensitive information, particularly credit card details and cryptocurrency-related data. These packages, downloaded over 39,000 times before their removal, demonstrate an increasing threat to software supply chains and the vulnerability of developers relying on open-source repositories. The malicious packages targeted both e-commerce platforms and cryptocurrency users, employing various techniques to evade detection and compromise sensitive data.

The most prevalent of these packages, "disgrasya," which translates to 'accident' or 'disaster' in Filipino, was downloaded over 34,000 times and functioned as a fully automated carding toolkit. This package specifically targeted WooCommerce stores integrated with CyberSource payment gateways, automating the process of validating stolen credit card information. It emulated legitimate shopping activity, programmatically adding items to a cart, navigating to the checkout page, and filling out the payment form, effectively bypassing fraud detection systems. Stolen card data, including numbers, expiration dates, and CVVs, was then exfiltrated to an external server controlled by the attacker.

Two other packages, "bitcoinlibdbfix" and "bitcoinlib-dev," masqueraded as fixes for issues in the legitimate "bitcoinlib" Python module. These packages attempted to overwrite the 'clw cli' command with malicious code designed to steal sensitive database files, potentially compromising cryptocurrency wallets and transactions. Researchers noted that the authors of these counterfeit libraries even engaged in GitHub issue discussions, attempting to trick users into downloading and running the malicious code. The discovery of these packages highlights the ongoing need for robust security measures and vigilance within the open-source software ecosystem.

Recommended read:
References :
  • The Hacker News: Cybersecurity researchers have uncovered malicious libraries in the Python Package Index (PyPI) repository that are designed to steal sensitive information.
  • www.bleepingcomputer.com: A newly discovered malicious PyPi package named 'disgrasya' that abuses legitimate WooCommerce stores for validating stolen credit cards has been downloaded over 34,000 times from the open-source package platform.
  • gbhackers.com: In a recent development, the ReversingLabs research team has uncovered a sophisticated software supply chain attack targeting developers of cryptocurrency applications.
  • www.scworld.com: Threat actors have sought to compromise credit card information and other sensitive data through three malicious Python Package Index packages, which have been downloaded almost 40,000 times before being removed from the PyPI repository, reports The Hacker News.
  • Cyber Security News: Malicious Python Packages Exploit Popular Cryptocurrency Library to Steal Sensitive Data
  • www.bleepingcomputer.com: A newly discovered malicious PyPi package named 'disgrasya' that abuses legitimate WooCommerce stores for validating stolen credit cards has been downloaded over 34,000 times from the open-source package platform.
  • cyberpress.org: Malicious Python Packages Exploit Popular Cryptocurrency Library to Steal Sensitive Data
  • www.techradar.com: Malicious Python packages are stealing vital data, and have been downloaded thousands of times already

Bill Toulas@BleepingComputer //
A malicious Python package, "disgrasya," has been discovered on the Python Package Index (PyPI) repository, posing a significant threat to e-commerce platforms. The package, which translates to "disaster" in Filipino slang, contains a fully automated carding script specifically designed to target WooCommerce stores that utilize the CyberSource payment gateway. This malicious tool allows attackers to test stolen credit card information against live e-commerce payment systems, streamlining the process of identifying valid cards for fraudulent activities. Unlike typical supply chain attacks, "disgrasya" made no attempt to conceal its malicious intent, openly serving as a distribution mechanism for fraudsters.

The "disgrasya" package automates the entire carding workflow, mimicking legitimate customer behavior to bypass fraud detection systems. The script starts by identifying a product on the targeted WooCommerce store and simulates adding items to the cart. It then gathers security tokens and proceeds to tokenize stolen credit card data using CyberSource's mechanisms, submitting it through WooCommerce's checkout endpoints. If the card is valid, the attacker receives confirmation without triggering typical fraud prevention measures like CAPTCHAs. Alarmingly, the script also exfiltrates stolen card data, including numbers, expiration dates, CVVs, and tokenized representations, to an external server controlled by the attacker.

Before its discovery and removal from PyPI, "disgrasya" was downloaded over 37,217 times, highlighting the scale of the potential threat. This widespread distribution suggests that the tool may already be in active use across numerous fraud campaigns, posing a growing financial risk to businesses. The carding attack facilitated by "disgrasya" contributes to the rising costs of online payment fraud, which is estimated to cost merchants over $362 billion globally between 2023 and 2028. Security measures such as monitoring traffic patterns, implementing CAPTCHAs, and rate limiting on checkout and payment endpoints can help mitigate the threat posed by "disgrasya" and similar malicious packages.

Recommended read:
References :