Twelve malicious Python libraries found and removed from PyPI

pypi.png

A software security engineer has identified 12 Python libraries uploaded on the official Python Package Index (PyPI) that contained malicious code.

The 12 packages have been discovered in two separate scans by a security engineer who goes online by the name of Bertus, and have long been removed from PyPI before this article’s publication.

All packages were put together and worked following a similar pattern. Their creator(s) copied the code of popular packages and created a new library, but with a slightly modified name. For example, four packages (diango, djago, dajngo, djanga) were misspellings of Django, the name of a very popular Python framework.

The people behind these malicious packages added malicious code to these newly-created, but fully functional projects, and more specifically to the setup.py files. Setup.py files contain a set of instructions that Python library installers like “pip” execute automatically when downloading and setting up a new package inside a Python project.

The nature of this extra code was to perform various malicious operations and varied per each malicious library.

Bertus discovered a first set of 11 malicious packages on October 13 (see table below), and another malicious package on October 21.

pypi-malicious-packages.png

pypi-malicious-packages.png

Image: Bertus

The first set of malicious libraries would attempt to either collect data about each infected environment, obtain boot persistence, or even open a reverse shell on remote workstations.

The twelfth package, named “colourama,” was financially-motivated and hijacked an infected users’ operating system clipboard, where it would scan every 500ms for a Bitcoin address-like string, which it would replace with the attacker’s own Bitcoin address in an attempt to hijack Bitcoin payments/transfers made by an infected user.

This package, too, mimicked the name of a popular Python library, named “colorama.”

According to the PyPI Stats service, 54 users had downloaded the package a month before it was taken down. The attacker’s Bitcoin address contained the equivalent of only $40, with the last transfer being received way back in April, and suggesting that the colourama package failed to make any money.

“I provided the PyPI administrators with the package name, and they removed the package,” Bertus told ZDNet in an email interview. “In addition, they also blocked the name colourama for any future package registrations.”

The researcher told us he discovered all 12 packages by using an automated system he created himself that scanned the PyPI repository for packages with similar names –technically referred to as “typo-squatted” packages.

Bertus says he created the scanner after seeing a security alert sent out by the Slovak National Security Office last year that warned Python developers about ten malicious Python libraries uploaded on PyPI. Those libraries, too, had used typo-squatted names and waited for weeks for users to install them by accident or carelessness, before being taken down.

“At the moment, I am focused on improving the Python (PyPI) scanner, and I will be doing more regular scans,” Bertus told ZDNet.

“I have thought about using my research for other repositories like RubyGems or JavaScript’s npm, but haven’t had time to explore it yet,” he added. “It will take some time to implement it for another repository since each programming language and repository is a bit different.”

JavaScript’s npm package repository needs some of Bertus’ time, for sure. In August 2017, a Swedish developer discovered 38 typo-squatted JavaScript libraries uploaded on the npm repo. The malicious code in those libraries collected local environment variables and uploaded the data to the attacker’s server.

RELATED COVERAGE:

Twelve malicious Python libraries found and removed from PyPI 1
About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews



bitcoin
Bitcoin (BTC) $ 42,191.00
ethereum
Ethereum (ETH) $ 2,869.18
cardano
Cardano (ADA) $ 2.25
tether
Tether (USDT) $ 1.00
binance-coin
Binance Coin (BNB) $ 340.50
xrp
XRP (XRP) $ 0.922747
solana
Solana (SOL) $ 130.97
usd-coin
USD Coin (USDC) $ 1.00
polkadot
Polkadot (DOT) $ 28.70
dogecoin
Dogecoin (DOGE) $ 0.205132
USD
EUR
GBP
bitcoinBitcoin (BTC)
$ 42,191.00
ethereumEthereum (ETH)
$ 2,869.18
tetherTether (USDT)
$ 1.00
bitcoin-cashBitcoin Cash (BCH)
$ 506.15
litecoinLitecoin (LTC)
$ 148.03
bitcoinBitcoin (BTC)
35.945,47
ethereumEthereum (ETH)
2.444,46
tetherTether (USDT)
0,851970
bitcoin-cashBitcoin Cash (BCH)
431,22
litecoinLitecoin (LTC)
126,12
bitcoinBitcoin (BTC)
30,786.14
ethereumEthereum (ETH)
2,093.60
tetherTether (USDT)
0.729685
bitcoin-cashBitcoin Cash (BCH)
369.33
litecoinLitecoin (LTC)
108.02

Automated trading with HaasBot Crypto Trading Bots

Crypto Scams

Crypto Scams
Crypto Scams Still Persistent In 2021, SEC Warns About Red Flags To Watch
September 9, 2021
Poly Network
Here’s How Hackers Stole Over $600 million in the Poly Network Attack
August 12, 2021
The World’s Most Infamous Crypto Hacks and Scams
July 31, 2021
Cryptocurrency Exchanges
Cryptocurrency Exchanges and the Plague of Scams and Bans
June 29, 2021
What Role Do Cryptocurrencies Play In The Era Of Ransomware Attacks?
June 9, 2021

Blockchain/Cryptocurrency Questions and Answers

Beginner’s Guide to Investing in Cryptocurrency
August 9, 2021
Short-Sell Cryptocurrency
How to Short-Sell Cryptocurrency: A Brief Overview
July 17, 2021
Klaytn
What Is Klaytn (KLAY) And How Does It Work?
July 16, 2021
Cryptocurrencies
Our Crypto Roundup Interview Asks- Do Cryptocurrencies Have a Future?
July 15, 2021
Solana
What Is Solana (SOL) And How Does It Work?
June 26, 2021


CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin42,208 0.54 % 0.75 % 12.55 %
Ethereum2,873.2 0.16 % 1.32 % 16.17 %
Cardano2.250 0.10 % 1.77 % 5.27 %
Tether0.9986 0.03 % 0.08 % 0.23 %
Binance Coin340.81 1.01 % 3.99 % 17.18 %
XRP0.9235 0.52 % 2.13 % 14.16 %
Solana130.99 0.28 % 5.99 % 22.99 %
USD Coin1.000 0.08 % 0.07 % 0.19 %
Polkadot30.87 2.19 % 17.29 % 10.73 %
Dogecoin0.2052 0.69 % 2.76 % 15.16 %

bitcoin
Bitcoin (BTC) $ 42,191.00
ethereum
Ethereum (ETH) $ 2,869.18
cardano
Cardano (ADA) $ 2.25
tether
Tether (USDT) $ 1.00
binance-coin
Binance Coin (BNB) $ 340.50
xrp
XRP (XRP) $ 0.922747
solana
Solana (SOL) $ 130.97
usd-coin
USD Coin (USDC) $ 1.00
polkadot
Polkadot (DOT) $ 28.70
dogecoin
Dogecoin (DOGE) $ 0.205132