Alert!: Python Malicious Code Exposure

[impeeza]

Please Tempers be aware you could have malware on your system, if you use Python and installed one of the following packages.

Attention: Developers as well as anyone who has Python installed on their machine/virtual machine.

PyPI, the most widely used Python package repository consisting of over 350,000 open-source software packages used by millions of registered users, is actively being targeted by threat actors. Threat actors have uploaded to the PyPI (Python Package Index) repository over 400 malicious packages carrying code to drop malware on developers' systems.
PyPI’s popularity makes it an attractive target for threat actors given its use by global developers use in their software projects. Typically, malicious packages are uploaded masquerading as something useful or mimic renowned projects by modifying their name. Some fake and malicious packages use "typosquatting" to impersonate popular software projects to trick PyPI users into downloading them. Packages complete with descriptions trick developers into believing they're genuine resources. This appears to be part of a general information-stealing malware campaign used to steal browser data, authentication tokens, and other data from an infected device.
Technical Details:

• Malicious PyPI packages have been observed attempting the following techniques:
• Initial access: To gain access into a system, attackers frequently use typosquatting, a technique where a threat actor purposefully names a package to mimic a popular one. This tricks developers into installing the malicious package. Other techniques for gaining access include compromising a maintainer’s account or email domain.
• Execution: Once the package is installed, it typically either directly executes a malicious payload or downloads and executes a second-stage. Malware often executes code at installation time by defining a malicious post-installation script, that’s automatically executed when the module is imported.
• Exfiltration: Malicious PyPI packages frequently exfiltrate system information and environment variables, such as AWS access keys, credentials to a remote server.

Some examples of reported libraries masquerading as legitimate resources:

• httpslib 4.6.11
• Libhttps
• Colorslib
• Ascii2text – stealing
• Test-async- Fetches remote malicious code.
• Pyg-utils, Pymocks, PyProto2 – AWS credential stealing
• Free-net-vpn and Free-net-vpn2 - User credential stealing
• Zlibsrc – Downloads and installs malicious code from a remote resource.
• Browserdiv- Steals credentials of web designers
• WINRPCexploit- Credential stealer targeting windows RPC vulnerability.

Threat actors have been leveraging typos in the names of legitimate and commonly used libraries below:

• bitcoinlib
• ccxt
• cryptocompare
• cryptofeed
• freqtrade
• solana
• vyper
• websockets
• yfinance
• pandas
• matplotlib
• aiohttp
• beautifulsoup
• tensorflow
• selenium
• scrapy
• colorama
• scikit-learn
• pytorch
• pygame
• pyinstaller

Guidance on limiting your exposure:
Check the name of the python library that you are trying to install, verify that it is the correct one and spelled correctly.
Employ static code analysis against the code check for any malicious functions embedded in the code.
Avoid downloading a package directly to a production environment without testing it in a pre-prod or staging environment to verify the integrity of the package’s code first.
Scrutinize the package names, release histories, submission details, homepage links, and download numbers- If theses are missing or don’t seem right, do not download them (downloading packages may trigger an automatic installation of the package)
Missing package information: Check for packages that have no description at all or have a release version of 0.0.0. Although this doesn’t necessarily indicate malicious behavior, it could be considered suspicious.
Potentially compromised maintainer email: Check if the package maintainer’s email domain was re-registered after the latest package release. This can indicate an attacker taking over an expired domain, and using it to steal the maintainer’s account, which has been proven to be a large-scale issue on NPM.

How to check which python packages installed:
In a terminal run the following command: pip list <enter>
This command will list all python packages that are installed and can checked against any of the packages that might be reported as malicious.

 

[SylverReZ]

Luckily, I don't have it on my end.

 

[yuyuyup]

OOPS, I made a mistake, today I clicked the link to this post and my browser instantly crashed, so I began warning others as I thought this post might have had malicious code (apologies to impeeza only trying to help out.) I'm an idiot I guess but the timing of my crash instantly filled me with fear. I only wanted to guard others with my erroneous warning. Sorry again.

Also here is a screenshot of my mozilla crashes log folder, for quick dirty proof that my browser crashed in case anyone cared.

 

[impeeza]

Cool, looking on the code of the post and no program code at all!:

Please Tempers be aware you could have malware on your system, if you use Python and installed one of the following packages.

[FONT=tahoma][B][SIZE=5]Attention[/SIZE][/B][/FONT]: Developers as well as anyone who has Python installed on their machine/virtual machine.

PyPI, the most widely used Python package repository consisting of over 350,000 open-source software packages used by millions of registered users,  is actively being targeted by threat actors. Threat actors have uploaded to the PyPI (Python Package Index) repository over 400 malicious packages carrying code to drop malware on developers' systems.
PyPI’s popularity makes it an attractive target for threat actors given its use by global developers use in their software projects. Typically, malicious packages are uploaded masquerading as something useful or mimic renowned projects by modifying their name. Some fake and malicious packages use "typosquatting" to impersonate popular software projects to trick PyPI users into downloading them. Packages complete with descriptions trick developers into believing they're genuine resources. This appears to be part of a general information-stealing malware campaign used to steal browser data, authentication tokens, and other data from an infected device.
[B][SIZE=4][COLOR=rgb(226, 80, 65)]Technical Details:[/COLOR][/SIZE][/B]
[LIST]
[*]Malicious PyPI packages have been observed attempting the following techniques:
[*]Initial access: To gain access into a system, attackers frequently use typosquatting, a technique where a threat actor purposefully names a package to mimic a popular one. This tricks developers into installing the malicious package. Other techniques for gaining access include compromising a maintainer’s account or email domain.
[*]Execution: Once the package is installed, it typically either directly executes a malicious payload or downloads and executes a second-stage. Malware often executes code at installation time by defining a malicious post-installation script, that’s automatically executed when the module is imported.
[*]Exfiltration: Malicious PyPI packages frequently exfiltrate system information and environment variables, such as AWS access keys, credentials to a remote server.
[/LIST]
[COLOR=rgb(235, 107, 86)][FONT=arial][B][SIZE=4]Some examples of reported libraries masquerading as legitimate resources:[/SIZE][/B][/FONT][/COLOR]
[LIST]
[*]httpslib 4.6.11
[*]Libhttps
[*]Colorslib
[*]Ascii2text –  stealing
[*]Test-async- Fetches remote malicious code.
[*]Pyg-utils, Pymocks, PyProto2 – AWS credential stealing
[*]Free-net-vpn and Free-net-vpn2  - User credential stealing
[*]Zlibsrc – Downloads and installs malicious code from a remote resource.
[*]Browserdiv- Steals credentials of web designers
[*]WINRPCexploit- Credential stealer targeting windows RPC vulnerability.
[/LIST]
[COLOR=rgb(235, 107, 86)][FONT=arial][B][SIZE=4]Threat actors have been leveraging typos in the names of legitimate and commonly used libraries below:[/SIZE][/B][/FONT][/COLOR]
[LIST]
[*]bitcoinlib
[*]ccxt
[*]cryptocompare
[*]cryptofeed
[*]freqtrade
[*]solana
[*]vyper
[*]websockets
[*]yfinance
[*]pandas
[*]matplotlib
[*]aiohttp
[*]beautifulsoup
[*]tensorflow
[*]selenium
[*]scrapy
[*]colorama
[*]scikit-learn
[*]pytorch
[*]pygame
[*]pyinstaller
[/LIST]
[B][COLOR=rgb(235, 107, 86)][FONT=arial][B][SIZE=4]Guidance on limiting your exposure:[/SIZE][/B][/FONT][/COLOR][/B]
Check the name of the python library that you are trying to install, verify that it is the correct one and spelled correctly.
Employ static code analysis against the code check for any malicious functions embedded in the code.
Avoid downloading a package directly to a production environment without testing it in a pre-prod or staging environment to verify the integrity of the package’s code first.
Scrutinize the package names, release histories, submission details, homepage links, and download numbers- If theses are missing or don’t seem right, do not download them (downloading packages may trigger an automatic installation of the package)
Missing package information: Check for packages that have no description at all or have a release version of 0.0.0. Although this doesn’t necessarily indicate malicious behavior, it could be considered suspicious.
Potentially compromised maintainer email: Check if the package maintainer’s email domain was re-registered after the latest package release. This can indicate an attacker taking over an expired domain, and using it to steal the maintainer’s account, which has been proven to be a large-scale issue on NPM.

[B][COLOR=rgb(235, 107, 86)][FONT=arial][B][SIZE=4]How to check which python packages installed:[/SIZE][/B][/FONT][/COLOR][/B]
In a terminal run the following command: [ICODE]pip list <enter>[/ICODE]
This command will list all python packages that are installed and can checked against any of the packages that might be reported as malicious.

 

[yuyuyup]

Yeah I looked it over, checks out just kidding, I am sorry about all this, I'm embarrassed.