New malicious packages were discovered on the Python Package Index (PyPI) that can steal passwords, authentication cookies, and cryptocurrency wallets from developers.
What is the threat?
Over the past year, numerous malicious packages have been uploaded to open-source repositories under names that appear legitimate. Between January 27 and January 29, 2023, a threat actor uploaded five malicious packages containing the “W4SP Stealer” malware to PyPI. The information-stealing malware, identified in these packages by BleepingComputer, steals data from web browsers at first, then attempts to steal authentication cookies from Discord and other similar programs. Finally, the malware will try to steal cryptocurrency wallets and cookies.
Some of the targeted websites to be aware of include:
- Coinbase.com
- Gmail.com
- YouTube.com
- Instagram.com
- PayPal.com
- Telegram.com
- Hotmail.com
- Outlook.com
- Aliexpress.com
- ExpressVPN.com
- eBay.com
- Playstation.com
- xbox.com
- Netflix.com
- Uber.com
Why is it noteworthy?
Supply chain attacks are expected to continue to increase in the future. Gartner predicts that by 2025, 45 percent of organizations worldwide will have experienced attacks on their software supply chains, three times as many as in 2021. In addition to PyPI, attackers have targeted other code repositories like GitHub and companies like CircleCI, a provider of continuous integration/continuous delivery (CI/CD). Repositories such as GitHub and PyPI are immensely popular among developers; there are 100 million GitHub users and 400,000 packages on PyPI.
What is the exposure or risk?
If a malicious package enters a popular repository, it can be downloaded by many different developers before being discovered and remediated. Any developer that uses open-source package repositories could be vulnerable to these types of attacks. It is of the utmost importance to analyze the code in packages before adding them to projects.
What are the recommendations?
Barracuda MSP recommends the following actions to help prevent these types of attacks:
- See CISA’s guide on recommended practices for securing the software supply chain.
- Be stringent with vendors. If using an open-source repository, validate and analyze the code before adding them to your projects.
- Implement Barracuda XDR to monitor your systems for the IOCs associated with this threat.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.cisa.gov/uscert/sites/default/files/publications/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF
- https://thehackernews.com/2023/02/researchers-uncover-obfuscated.html
- https://www.bleepingcomputer.com/news/security/devs-targeted-by-w4sp-stealer-malware-in-malicious-pypi-packages/
- https://www.gartner.com/en/articles/7-top-trends-in-cybersecurity-for-2022
If you have any questions, please contact our Security Operations Center.
