Latest Attack on PyPI Users Shows Crooks are Only Getting Better
upstart writes:
The code found in the malicious packages closely resembled legit offerings:
More than 400 malicious packages were recently uploaded to PyPI (Python Package Index), the official code repository for the Python programming language, in the latest indication that the targeting of software developers using this form of attack isn't a passing fad.
All 451 packages found recently by security firm Phylum contained almost identical malicious payloads and were uploaded in bursts that came in quick succession. Once installed, the packages create a malicious JavaScript extension that loads each time a browser is opened on the infected device, a trick that gives the malware persistence over reboots.
The JavaScript monitors the infected developer's clipboard for any cryptocurrency addresses that may be copied to it. When an address is found, the malware replaces it with an address belonging to the attacker. The objective: intercept payments the developer intended to make to a different party.
Besides vastly increasing the number of malicious packages uploaded, the latest campaign also uses a significantly different way to cover its tracks. Whereas the packages disclosed in November used encoding to conceal the behavior of the JavaScript, the new packages write function and variable identifiers in what appear to be random 16-bit combinations of Chinese language ideographs [...]
[...] The names of all 451 malicious packages the Phylum researchers found are included in the blog post. It's not a bad idea for anyone who intended to download one of the legitimate packages targeted to double-check that they didn't inadvertently obtain a malicious doppelganger.
Read more of this story at SoylentNews.