@securebulletin.com
//
A concerning trend of hackers exploiting open-source software supply chains has been identified, with malicious backdoors being planted in Python and NPM packages. Security researchers at Checkmarx Zero have uncovered a sophisticated campaign where attackers are using typosquatting and name-confusion tactics to trick users into downloading harmful software. This cross-ecosystem approach targets both Windows and Linux systems, deploying multi-platform payloads with the capability to steal data and establish remote control. These findings highlight the growing need for enhanced security measures within open-source ecosystems to combat supply chain attacks.
This campaign leverages the Python Package Index (PyPI) and Node Package Manager (NPM) by mimicking legitimate software. Specifically, the attack targeted users of "colorama," a popular Python tool, and "colorizr," a similar JavaScript package, by uploading packages with names like "coloramapkgs" and "colorizator". The malicious packages carry dangerous payloads designed to give attackers remote access and control, allowing them to harvest and exfiltrate sensitive data. On Windows systems, the malware attempts to bypass antivirus software, while on Linux, it establishes encrypted connections, steals information, and maintains a hidden presence. Fortunately, the identified malicious packages have been removed from public software repositories, limiting their immediate potential for damage. However, the lack of clear attribution data makes it difficult to trace the campaign back to a known adversary. Vet, an open-source tool designed to help developers and security engineers spot risks in their software supply chains, goes beyond traditional software composition analysis by detecting known vulnerabilities and flagging malicious packages. It supports ecosystems like npm, PyPI, Maven, Go, Docker, and GitHub Actions, assisting in the detection of supply chain attacks. Recommended read:
References :
@socket.dev
//
A malicious Python package named 'discordpydebug' has been discovered on the Python Package Index (PyPI) repository, posing a significant threat to Discord developers. The package, disguised as a simple utility for debugging Discord bots, actually contains a remote access trojan (RAT). This RAT allows attackers to execute commands and exfiltrate data from infected systems via a covert command-and-control (C2) channel. The 'discordpydebug' package was uploaded on March 21, 2022, and has since been downloaded over 11,000 times, putting numerous developer systems at risk.
The 'discordpydebug' package targets developers who build or maintain Discord bots. The attackers took advantage of the fact that PyPI doesn't enforce strict security audits, misleading developers with a legitimate-sounding name and copying code from popular projects to appear trustworthy. The package establishes communication with an attacker-controlled server at "backstabprotection.jamesx123.repl[.]co", and includes features to read and write arbitrary files based on commands received from the server, along with the ability to run shell commands. The simplicity of the RAT is what makes it effective. The package avoids inbound connections, instead opting for outbound HTTP polling to bypass firewalls and security monitoring tools, especially in less controlled development environments. This discovery highlights the increasing danger of software supply chain attacks and the importance of vigilance when installing packages from open-source repositories. The Socket Research Team urges developers to be cautious and scrutinize any third-party tools or code snippets shared within the Discord developer community. Recommended read:
References :
securebulletin.com@Secure Bulletin
//
Attackers are increasingly turning to trusted services like Gmail and Google APIs to create stealthy command-and-control (C2) channels. This tactic allows them to mask malicious activities within legitimate network traffic, making detection and mitigation significantly harder. By leveraging platforms like Gmail and Google Drive, threat actors can embed their communications within encrypted channels provided by reputable services, bypassing many traditional security measures. These communications are encrypted by Gmail’s TLS, further complicating detection efforts.
A recent investigation by Socket's Threat Research Team uncovered a campaign using malicious Python packages to establish covert tunnels via Gmail’s SMTP protocol, enabling attackers to exfiltrate data and execute remote commands undetected. Seven malicious PyPI packages, operating under the "Coffin Codes" theme, were found abusing Gmail's SMTP servers and WebSockets for data exfiltration and remote command execution. These packages, once installed, establish an encrypted connection to Gmail’s SMTP server using hardcoded credentials, sending signals and critical information to attacker-controlled email addresses. The identified packages include Coffin-Codes-Pro, Coffin-Codes-NET2, Coffin-Codes-NET, Coffin-Codes-2022, Coffin2022, Coffin-Grave, and cfc-bsb. While the packages have been removed from PyPI, one of them was downloaded over 18,000 times before removal. The most advanced variants of the packages also establish outbound WebSocket connections, enabling attackers to issue commands, transfer files, and potentially gain deeper access into the victim's network. This highlights the ongoing risks posed by supply chain attacks and the exploitation of trusted cloud services. Recommended read:
References :
Mandvi@Cyber Security News
//
Cybersecurity researchers have recently identified several malicious Python packages on the Python Package Index (PyPI) repository that were designed to steal sensitive information, particularly credit card details and cryptocurrency-related data. These packages, downloaded over 39,000 times before their removal, demonstrate an increasing threat to software supply chains and the vulnerability of developers relying on open-source repositories. The malicious packages targeted both e-commerce platforms and cryptocurrency users, employing various techniques to evade detection and compromise sensitive data.
The most prevalent of these packages, "disgrasya," which translates to 'accident' or 'disaster' in Filipino, was downloaded over 34,000 times and functioned as a fully automated carding toolkit. This package specifically targeted WooCommerce stores integrated with CyberSource payment gateways, automating the process of validating stolen credit card information. It emulated legitimate shopping activity, programmatically adding items to a cart, navigating to the checkout page, and filling out the payment form, effectively bypassing fraud detection systems. Stolen card data, including numbers, expiration dates, and CVVs, was then exfiltrated to an external server controlled by the attacker. Two other packages, "bitcoinlibdbfix" and "bitcoinlib-dev," masqueraded as fixes for issues in the legitimate "bitcoinlib" Python module. These packages attempted to overwrite the 'clw cli' command with malicious code designed to steal sensitive database files, potentially compromising cryptocurrency wallets and transactions. Researchers noted that the authors of these counterfeit libraries even engaged in GitHub issue discussions, attempting to trick users into downloading and running the malicious code. The discovery of these packages highlights the ongoing need for robust security measures and vigilance within the open-source software ecosystem. Recommended read:
References :
Bill Toulas@BleepingComputer
//
A malicious Python package, "disgrasya," has been discovered on the Python Package Index (PyPI) repository, posing a significant threat to e-commerce platforms. The package, which translates to "disaster" in Filipino slang, contains a fully automated carding script specifically designed to target WooCommerce stores that utilize the CyberSource payment gateway. This malicious tool allows attackers to test stolen credit card information against live e-commerce payment systems, streamlining the process of identifying valid cards for fraudulent activities. Unlike typical supply chain attacks, "disgrasya" made no attempt to conceal its malicious intent, openly serving as a distribution mechanism for fraudsters.
The "disgrasya" package automates the entire carding workflow, mimicking legitimate customer behavior to bypass fraud detection systems. The script starts by identifying a product on the targeted WooCommerce store and simulates adding items to the cart. It then gathers security tokens and proceeds to tokenize stolen credit card data using CyberSource's mechanisms, submitting it through WooCommerce's checkout endpoints. If the card is valid, the attacker receives confirmation without triggering typical fraud prevention measures like CAPTCHAs. Alarmingly, the script also exfiltrates stolen card data, including numbers, expiration dates, CVVs, and tokenized representations, to an external server controlled by the attacker. Before its discovery and removal from PyPI, "disgrasya" was downloaded over 37,217 times, highlighting the scale of the potential threat. This widespread distribution suggests that the tool may already be in active use across numerous fraud campaigns, posing a growing financial risk to businesses. The carding attack facilitated by "disgrasya" contributes to the rising costs of online payment fraud, which is estimated to cost merchants over $362 billion globally between 2023 and 2028. Security measures such as monitoring traffic patterns, implementing CAPTCHAs, and rate limiting on checkout and payment endpoints can help mitigate the threat posed by "disgrasya" and similar malicious packages. Recommended read:
References :
|