[MART] - Daily Diary #622 - 29 Malicious PyPI Packages Deliver Info Stealing Malware

ctas-mat at appgate.com ctas-mat at appgate.com
Tue Nov 8 00:29:31 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

11/07/2022 - Diary entry #622:

In our Daily Diary entry #517, we talked about Repository Typosquatting, a technique used to infect systems based on typos on package managers such as PyPi – the Python Package Index – the official third-party repository for Python libraries. The lack of moderation in PyPi and other package repositories makes it susceptible to Typosquatting. Threat actors just need to upload a malware with a similar name and wait for someone to install it by accident.

That’s exactly what happened in this new campaign. Twenty-nine packages designed to infect developers’ systems with an info-stealing malware called W4SP Stealer were discovered in the PyPI repository, being downloaded over 5,700 times. The attackers basically copied existing popular libraries and injected a malicious import statement into either the setup.py or the init.py file.

W4SP Stealer is an open-source Python-based trojan capable of exfiltrating files of interest, passwords, browser cookies, system metadata, Discord tokens, and cryptocurrency wallets. Earlier in August this year, two other malicious packages were observed deploying this same malware family.

That's why dependencies and third-party libraries should never be blindly trusted. Developers should validate what they are installing and, preferably, use fixed versions in their projects, as not rarely trusted libraries are infected and can deliver malicious code through updates.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>


Malware Analysis and Research Team

E: ctas-mat at appgate.com<mailto:ctas-mat at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20221108/4e471e63/attachment.htm>

More information about the MART mailing list