ReversingLabs has published an advisory to share details of a malicious package discovered in the PyPI (Python Package Index) while performing a routine inspection of open-source repositories.
Typosquatting – A Growing Threat
Since you are here, remember “it’s Google.com, not ɢoogle.com.”
“In the case of aabquerys, the obfuscated code in question was easily de-obfuscated. That revealed a file with clearly malicious behaviour,” the advisory/blog post read.
Valentic and Zanki assert that it is a critical issue since open-source codes are viewable by everyone, so it is essential to investigate the attempt to disguise or hide such functionality on an open-source module.
Aabquerys Package Analysis
Aabquerys could download second and third-stage malware payloads onto infected devices from a remote server. It also contains an Avast proxy binary (wscproxy.exe) vulnerable to DLL sideloading attacks.
The third stage payload is identified as Demon.bin, which boasts conventional RAT functionalities generated using a post-exploitation, open-source C2 framework called Havoc, authored by C5pider.
A concerning issue is that the author of Aabquerys has published various versions of Aabquerys, namely aabquery and nvm jquery, which could be earlier versions of Aabquerys.
After its discovery, the Aabquerys package was promptly removed from the NPM repository. Nevertheless, the findings highlight the growing threat of malicious packages hidden in open-source repositories like PyPI, GitHub, and NPM that can have lasting adverse consequences for the software supply chain.