Checkmarx Uncovers Hidden Malware in PyPI Packages: Urgent Action Needed

In the Python Package Index (PyPI) repository, counterfeit packages disseminating malicious software were detected. These packages, masquerading as popular Python libraries, garnered thousands of downloads globally, including in the United States and China.

A report by Checkmarx revealed that malefactors utilized steganography to conceal malicious code within ordinary image files. This method enhances the stealth of the attack and complicates the detection of malware. Some of the identified 27 packages include pyefflorer, pyminor, pyowler, pystallerer, pystob, and pywool.

Image Credit: Checkmarx

A common characteristic of these packages is the use of the setup.py script, which includes links to other packages that install VBScript for downloading and executing the Runtime.exe file. This ensures persistence in the system and gathers information from browsers, cryptocurrency wallets, and other applications.

Furthermore, Checkmarx discovered an alternative attack chain where executable code was hidden in a PNG image (uwu.png), used to extract the IP address and UUID (Universally Unique Identifier) of the infected system. The campaign also involved packages (Pystob and Pywool) disguised as API management tools, which exfiltrated data to a Discord webhook and attempted to maintain persistence by placing VBS files in the Windows startup folder.