Fortinet researchers discovered a series of malicious packages on the Python Package Index (PyPI) repository, designed to infect systems with a dangerous information-stealing malware named WhiteSnake Stealer. The malware, designed to target Windows systems, is hidden within seemingly harmless Python packages, posing a significant threat to unsuspecting users.

The identified malicious packages, uploaded by a threat actor named “WS,” include nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111 that exhibit similarities with a 2023 campaign detailed by Checkmarx, which was linked to a threat actor tracked as PYTA31.

The observed packages were found to incorporate Base64-encoded source code of PE or other Python scripts within their setup.py files, allowing the malware to execute upon installation.

The packages released before December 2023 closely resemble their predecessors, deploying the WhiteSnake PE malware for Windows devices or delivering Python scripts crafted to steal information from Linux devices. Notably, a subtle distinction in the newer variants is the use of a dynamic range of IP addresses as destinations for transmitting stolen data, rather than relying on a single fixed URL. This change was likely implemented to ensure successful data transmission even if one server becomes compromised.

While earlier attacks targeted both Windows and Linux users, this recent set of packages predominantly focuses on Windows users. Each package contains a slightly varied executable payload but consistently aims to exfiltrate sensitive information from victims. Some of the newly discovered packages have been observed incorporating clipper functionality, allowing them to overwrite clipboard content with attacker-owned wallet addresses for unauthorized transactions. Additionally, certain packages are configured to steal data from browsers, applications, and cryptocurrency services.

“Users are urged to exercise utmost caution when using open-source packages, checking for malicious content or payloads that may render targeted devices susceptible to information theft. The narrative of this particular malware author has unfolded over several months and showcases the considerable amount of havoc that has been wrought,” the researchers cautioned.