After scanning more than one million libraries of PyPI (Python Package Index), security company ReversingLabs found three malicious Python libraries containing malicious backdoors that will be activated after being installed on a Linux system.
PyPI shows that the authors of the three libraries libpeshnx, libpesh, and libari are also authored ruri12. The upload time is November 2017, which is close to two years ago, which means that many users downloaded and installed these malicious libraries.
The PyPI team removed the three libraries on July 9 after receiving the notice, and ReversingLabs also informed the PyPI repo maintenance staff about their findings on the same day. Since none of the three libraries are described, their use is difficult to understand. But PyPI’s statistics show that they are being downloaded regularly, with dozens of installations per month.
The backdoor mechanism of a malicious Python library is only activated after the library is installed on a Linux system. The backdoor allows an attacker to send and execute instructions to the computer on which the three libraries are installed. ReversingLabs also found that only the backdoors of libpeshnx are active in the three libraries, and the code for the other two (libpesh and libari) malicious functions is empty, indicating that the author has removed it or is preparing to launch a backdoor version.