ESET Research discovered 116 malicious packages in PyPI, the official repository of software for the Python programming language, uploaded across 53 projects. Victims have downloaded these packages over 10,000 times.
The malware delivers a backdoor capable of executing remote commands, exfiltrating files, and taking screenshots. In some cases, the W4SP Stealer or a clipboard monitor that steals cryptocurrency, or both, is delivered instead.
The backdoor component is implemented for both Windows, in Python, and Linux, in Go.
BRATISLAVA, MONTREAL — December 12, 2023 — ESET Research has discovered a cluster of malicious Python projects being distributed via PyPI, the official Python (programming language) package repository. The threat targets both Windows and Linux systems and usually delivers a custom backdoor with cyberespionage capabilities. It allows remote command execution and file exfiltration, and sometimes includes the ability to take screenshots. In some cases, the final payload is a variant of the infamous W4SP Stealer, which steals personal data and credentials, or a simple clipboard monitor to steal cryptocurrency, or both. ESET discovered 116 files (source distributions and wheels) across 53 projects that contain malware. Over the past year, victims downloaded these files more than 10,000 times. From May 2023 onward, the download rate was around 80 per day.
PyPI is popular among Python programmers for sharing and downloading code. Since anyone can contribute to the repository, malware – sometimes posing as legitimate, popular code libraries – can appear. “Some malicious package names do look similar to other, legitimate packages, but we believe the main way they are installed by potential victims isn’t via typosquatting, but social engineering, where they are walked through running pip to install an ‘interesting’ package for whatever reason,” says ESET researcher Marc-Étienne Léveillé, who discovered and analyzed the malicious packages.
Most of the packages had already been taken down by PyPI at the time of the publication of this research. ESET has communicated with PyPI to take action concerning those remaining; presently, all of the known malicious packages are offline.
ESET has observed the operators behind this campaign using three techniques to bundle malicious code into the Python packages. The first technique is to place a “test” module with lightly obfuscated code inside the package. The second technique is to embed PowerShell code in the setup.py file, which is typically run automatically by package managers such as pip to help install Python projects. In the third technique, the operators make no effort to include legitimate code in the package, so that only the malicious code is present, in a lightly obfuscated form.
Typically, the final payload is a custom backdoor capable of remote command execution, file exfiltration, and sometimes the ability to take screenshots. On Windows, the backdoor is implemented in Python. On Linux, the backdoor is implemented in the Go programming language. In some cases, a variant of the infamous W4SP Stealer is used instead of the backdoor, or a simple clipboard monitor is used to steal cryptocurrency, or both. The clipboard monitor targets Bitcoin, Ethereum, Monero, and Litecoin cryptocurrencies.
“Python developers should vet the code they download before installing it on their systems. We expect that such abuse of PyPI will continue and advise caution in installing code from any public software repository,” concludes Léveillé.
For more information about the malicious Python projects in PyPI, check out the blog post “A pernicious potpourri of Python packages in PyPI.” Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.
