Whitesnake Slithers through PyPI: Nine Packages Harbour Hidden Malware

The Fortinet FortiGuard Labs team has detected malicious packages in the Python Package Index (PyPI), which delivers the Whitesnake infostealer to Windows systems. These packages, named nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111, were uploaded by a user named “WS.” They contain PE (Portable Executable) code or Python scripts in Base64 encoding within their setup.py files, activated upon installation on users’ computers.

On Windows systems, the Whitesnake malware steals information, and on Linux systems, it initiates a Python script for data collection. The attack primarily targets Windows users and is part of a campaign previously reported by JFrog and Checkmarx.

The Windows-specific payload is identified as a variant of WhiteSnake malware, which has virtual machine evasion mechanisms, interacts with a Command and Control (C2) server via the Tor protocol, and can steal victim information and execute commands.

Whitesnake also harvests data from web browsers, cryptocurrency wallets, and applications like WinSCP, CoreFTP, Windscribe, Filezilla, AzireVPN, Snowflake, Steam, Discord, Signal, and Telegram.

Checkmarx attributes the campaign to a threat actor known as PYTA31, aiming to exfiltrate confidential data from targeted machines.

Some of these malicious packages include a clipper function that replaces clipboard content with the attackers’ wallet addresses for unauthorized transactions. Others focus on stealing data from browsers, applications, and crypto services.

Fortinet emphasizes that this discovery showcases a single malware author’s ability to distribute multiple packages for information theft in the PyPI library, each with unique features.