Twelve malicious Python libraries found and removed from PyPI

pypi.png

A software security engineer has identified 12 Python libraries uploaded on the official Python Package Index (PyPI) that contained malicious code.

The 12 packages have been discovered in two separate scans by a security engineer who goes online by the name of Bertus, and have long been removed from PyPI before this article’s publication.

All packages were put together and worked following a similar pattern. Their creator(s) copied the code of popular packages and created a new library, but with a slightly modified name. For example, four packages (diango, djago, dajngo, djanga) were misspellings of Django, the name of a very popular Python framework.

The people behind these malicious packages added malicious code to these newly-created, but fully functional projects, and more specifically to the setup.py files. Setup.py files contain a set of instructions that Python library installers like “pip” execute automatically when downloading and setting up a new package inside a Python project.

Coinbase 2

The nature of this extra code was to perform various malicious operations and varied per each malicious library.

Bertus discovered a first set of 11 malicious packages on October 13 (see table below), and another malicious package on October 21.

pypi-malicious-packages.png

pypi-malicious-packages.png

Image: Bertus

The first set of malicious libraries would attempt to either collect data about each infected environment, obtain boot persistence, or even open a reverse shell on remote workstations.

The twelfth package, named “colourama,” was financially-motivated and hijacked an infected users’ operating system clipboard, where it would scan every 500ms for a Bitcoin address-like string, which it would replace with the attacker’s own Bitcoin address in an attempt to hijack Bitcoin payments/transfers made by an infected user.

This package, too, mimicked the name of a popular Python library, named “colorama.”

According to the PyPI Stats service, 54 users had downloaded the package a month before it was taken down. The attacker’s Bitcoin address contained the equivalent of only $40, with the last transfer being received way back in April, and suggesting that the colourama package failed to make any money.

“I provided the PyPI administrators with the package name, and they removed the package,” Bertus told ZDNet in an email interview. “In addition, they also blocked the name colourama for any future package registrations.”

The researcher told us he discovered all 12 packages by using an automated system he created himself that scanned the PyPI repository for packages with similar names –technically referred to as “typo-squatted” packages.

Bertus says he created the scanner after seeing a security alert sent out by the Slovak National Security Office last year that warned Python developers about ten malicious Python libraries uploaded on PyPI. Those libraries, too, had used typo-squatted names and waited for weeks for users to install them by accident or carelessness, before being taken down.

“At the moment, I am focused on improving the Python (PyPI) scanner, and I will be doing more regular scans,” Bertus told ZDNet.

“I have thought about using my research for other repositories like RubyGems or JavaScript’s npm, but haven’t had time to explore it yet,” he added. “It will take some time to implement it for another repository since each programming language and repository is a bit different.”

JavaScript’s npm package repository needs some of Bertus’ time, for sure. In August 2017, a Swedish developer discovered 38 typo-squatted JavaScript libraries uploaded on the npm repo. The malicious code in those libraries collected local environment variables and uploaded the data to the attacker’s server.

RELATED COVERAGE:

Twelve malicious Python libraries found and removed from PyPI 1
About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

Leave a Reply

E-Crypto News Executive Interviews



bitcoin
Bitcoin (BTC) $ 33,572.00
ethereum
Ethereum (ETH) $ 1,954.51
tether
Tether (USDT) $ 1.00
binance-coin
Binance Coin (BNB) $ 291.78
cardano
Cardano (ADA) $ 1.23
dogecoin
Dogecoin (DOGE) $ 0.235118
xrp
XRP (XRP) $ 0.634310
usd-coin
USD Coin (USDC) $ 1.00
polkadot
Polkadot (DOT) $ 15.73
binance-usd
Binance USD (BUSD) $ 1.00
USD
EUR
GBP
bitcoinBitcoin (BTC)
$ 33,572.00
ethereumEthereum (ETH)
$ 1,954.51
tetherTether (USDT)
$ 1.00
bitcoin-cashBitcoin Cash (BCH)
$ 468.31
litecoinLitecoin (LTC)
$ 127.51
bitcoinBitcoin (BTC)
28.205,68
ethereumEthereum (ETH)
1.642,09
tetherTether (USDT)
0,840155
bitcoin-cashBitcoin Cash (BCH)
393,45
litecoinLitecoin (LTC)
107,13
bitcoinBitcoin (BTC)
24,139.78
ethereumEthereum (ETH)
1,405.38
tetherTether (USDT)
0.719045
bitcoin-cashBitcoin Cash (BCH)
336.74
litecoinLitecoin (LTC)
91.69

Automated trading with HaasBot Crypto Trading Bots

Crypto Scams

What Role Do Cryptocurrencies Play In The Era Of Ransomware Attacks?
June 9, 2021
Crypto Scams On The Rise As Market Enters Bull Cycle
Crypto Scams On The Rise As Market Enters Bull Cycle
December 22, 2020
Harpreet Singh Sahni perpetrated the Plus Gold Union Coin (PGUC) scam
Sydney Concert Promoter Harpreet Sahni Involved In $50M Crypto PGUC Scam
November 2, 2020
KuCoin hackers steal $150 million
KuCoin Exchange Hacked But Insurance Will Cover The Stolen $150M
September 29, 2020
Mining City insists that it is legit
Mining City Refutes Claims By Philippines SEC Of Being A Scam
September 23, 2020

Blockchain/Cryptocurrency Questions and Answers

What Is Plethori Platform And How Does It Work?
June 12, 2021
What Is The Fudge Token?
What Is The Fudge Token?
June 5, 2021
What Is Shiba Inu (SHIB) Cryptocurrency And How Does It Work?
What Is Shiba Inu (SHIB) Cryptocurrency And How Does It Work?
May 31, 2021
What Is PancakeSwap And How Does It Work?
What Is PancakeSwap And How Does It Work?
May 27, 2021
How Has Internet Computer (ICP) Become A Top-10 Crypto?
How did “Internet Computer Coin”(ICP) Become A Top-5 Crypto?
May 19, 2021


CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin33,387 0.40 % 2.34 % 17.31 %
Ethereum1,946.9 0.37 % 3.26 % 23.98 %
Tether1.000 0.12 % 0.03 % 0.01 %
Binance Coin291.45 0.52 % 9.61 % 21.02 %
Cardano1.230 0.16 % 6.56 % 21.41 %
Dogecoin0.2314 1.65 % 21.60 % 28.04 %
XRP0.6340 0.46 % 13.05 % 27.33 %
USD Coin1.000 0.62 % 0.25 % 0.25 %
Polkadot15.68 0.00 % 5.35 % 34.99 %
Binance USD1.000 0.36 % 0.49 % 0.33 %

bitcoin
Bitcoin (BTC) $ 33,572.00
ethereum
Ethereum (ETH) $ 1,954.51
tether
Tether (USDT) $ 1.00
binance-coin
Binance Coin (BNB) $ 291.78
cardano
Cardano (ADA) $ 1.23
dogecoin
Dogecoin (DOGE) $ 0.235118
xrp
XRP (XRP) $ 0.634310
usd-coin
USD Coin (USDC) $ 1.00
polkadot
Polkadot (DOT) $ 15.73
binance-usd
Binance USD (BUSD) $ 1.00