Black CaT Posted June 26, 2023 Share Posted June 26, 2023 Ryan is a senior editor at TechForge Media with over a decade of experience covering the latest technology and interviewing leading industry figures. He can often be sighted at tech conferences with a strong coffee in one hand and a laptop in the other. If it's geeky, he’s probably into it. Find him on Twitter (@Gadget_Ry) or Mastodon (@[email protected]) Among the flagged packages were several Python packages published on PyPI, masquerading as legitimate libraries named after the popular npm “colors” library. The malicious packages, including names such as “broke-rcl,” “brokescolors,” and “trexcolors,” exclusively targeted the Windows operating system. Once installed, these packages would initiate the download and execution of a trojan hosted on Discord’s servers. Sonatype promptly reported these findings to PyPI, resulting in the removal of the malicious packages and the associated user account. Another malicious package, “trexcolors,” which was also named after the npm “colors” library, was discovered to download and execute a trojan known as “trex.exe” upon installation. This trojan, detected by VirusTotal, functions as an information stealer and incorporates evasion techniques to impede analysis and reverse engineering efforts. In addition to the aforementioned packages, Sonatype identified a PyPI package named “libiobe,” likely inspired by the legitimate library “iobes.” Unlike the Windows-specific packages, “libiobe” targeted both Windows and Unix operating systems. On Windows, the package deployed a trojan-infected executable, named “V0d220823bb829d3fcc62d10adf.exe,” which was concealed within the source code as a base64-encoded string. Conversely, on Linux/Unix systems, a minified Python code, also base64-encoded, executed and sent system fingerprinting data to a Telegram endpoint. Obfuscated code: FNBOT2, TAGADAY, and ZUPPA In addition to the PyPI and npm packages imitating the “colors” library, Sonatype’s analysis unveiled obfuscated code in packages named FNBOT2, TAGADAY, and ZUPPA. These packages employed a similar pattern observed in previous instances of cryptominer attacks, utilising six variables named magic, love, god, destiny, joy, and trust. The obfuscation technique employed is commonly facilitated by online tools, such as the one provided by development-tools.net. Sonatype’s discovery of these malicious packages highlights the persistent threats faced by open-source software registries like PyPI and npm. Although the identified packages may not introduce novel payloads or tactics, they serve as a reminder of the ongoing attempts by malicious actors to exploit vulnerabilities in open-source ecosystems https://www.developer-tech.com/news/2023/jun/23/sonatype-uncovers-further-malicious-pypi-npm-packages/ Link to comment Share on other sites More sharing options...
Recommended Posts