Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

10 Credential Stealing Python Libraries Found on PyPI Repository

In what’s yet another instance of malicious packages creeping into public code repositories, 10 modules have been removed from the Python Package Index (PyPI) for their ability to harvest critical data points such as passwords and API tokens.

The packages “install info-stealers that enable attackers to steal developer’s private data and personal credentials,” Israeli cybersecurity firm Check Point said in a Monday report.

A short summary of the offending packages is below –

  • Ascii2text, which downloads a nefarious script that gathers passwords stored in web browsers such as Google Chrome, Microsoft Edge, Brave, Opera, and Yandex Browser
  • Pyg-utils, Pymocks, and PyProto2, which are designed to steal users’ AWS credentials
  • Test-async and Zlibsrc, which download and execute malicious code during installation
  • Free-net-vpn, Free-net-vpn2, and WINRPCexploit, which steal user credentials and environment variables, and
  • Browserdiv, which are capable of collecting credentials and other information saved in the web browser’s Local Storage folder

The disclosure is the latest in a rapidly ballooning list of recent cases where threat actors have published rogue software on widely used software repositories such as PyPI and Node Package Manager (NPM) with the goal of disrupting the software supply chain.

Malicious NPM Packages Steal Discord Tokens and Bank Card Data

If anything, the elevated risk posed by such incidents heightens the need to review and exercise due diligence prior to downloading third-party and open source software from public repositories.

Just last month, Kaspersky disclosed four libraries, viz small-sm, pern-valids, lifeculer, and proc-title, in the NPM package registry that contained highly obfuscated malicious Python and JavaScript code designed to steal Discord tokens and linked credit card information.

The campaign, dubbed LofyLife, proves how such services have proven to be a lucrative attack vector for adversaries to reach a significant number of downstream users by dressing up malware as seemingly useful libraries.

“Supply chain attacks are designed to exploit trust relationships between an organization and external parties,” the researchers said. “These relationships could include partnerships, vendor relationships, or the use of third-party software.”

“Cyber threat actors will compromise one organization and then move up the supply chain, taking advantage of these trusted relationships to gain access to other organizations’ environments.”

The growing misuse of open source software repositories to distribute malware has also prompted GitHub to open a new request for comments (RFC) for an opt-in system that enables package maintainers to sign and verify packages published to NPM in collaboration with Sigstore.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

Ferrari Discloses Ransomware Attack; Refuses to Pay Ransom

Ferrari Discloses Ransomware Attack; Refuses to Pay Ransom

Ferrari, the renowned Italian luxury car manufacturer, suffered a cyber incident that compromised the company’s client data. According to a…
ChatGPT Bug Exposes Conversation History Titles

ChatGPT Bug Exposes Conversation History Titles

A ChatGPT user on Reddit first reported the bug after noticing Chinese language characters in the title of their conversation…
Breach Forums to Remain Offline Permanently

Breach Forums to Remain Offline Permanently

The decision to shut down the Breach Forums came after the admin noticed someone had logged into an old forum…