More PyPI packages stealing data have been discovered

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

Cybercriminals have managed to once again smuggle a couple of malicious packages into the Python Package Index (PyPi), putting both Python developers, and users, at risk of data theft.

The packages were discovered by cybersecurity researchers from Fortinet, who uncovered five seperate entities totaling just above 600 downloads. 

The packages are called “3m-promo-gen-api”, “Ai-Solver-gen”, “hypixel-coins”, “httpxrequesterv2”, and “httpxrequester”, and seem to have been uploaded on January 27, being available for download for roughly two days before being removed.

Stealing sensitive data

The packages were designed to steal all sorts of sensitive information, including passwords saved in Chrome, Opera, Edge, Brave, and other browsers, authentication cookies for Discord, and wallet data for the Atomic Wallet and Exodus cryptocurrency wallets. Furthermore, the packages targeted a number of websites, in search of sensitive information, including Coinbase, Gmail, PayPal, eBay, and others. 

The packages also look for certain keywords relating to banking, passwords, multi-factor authentication (MFA), and other sensitive information. If found, they’d steal them using the “transfer.sh” file transfer service. 

While Fortinet’s researchers weren’t able to link the malicious packages to any existing infostealers, BleepingComputer claims that the attackers were actually distributing the W4SP stealer. This infostealer has allegedly become “heavily abused” in PyPI packages, the publication claims. Some of the keywords were in French, leading the researchers to believe that the attackers were of French origin. 

PyPI is arguably the world’s most popular Python package repository, hosting more than 200,000 packages that developers can use to speed up their development process. As such, it’s a major target for cybercriminals, and news of infostealers being discovered in Python packages has been getting more frequent.

Most of the time, the attackers would impersonate a legitimate package, hoping that the developers would be too distracted, or lazy, to double-check the authenticity of the code they’re grabbing.

Via: BleepingComputer

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
The Python banner logo on a computer screen running a code editor.
More malicious Python packages are on the loose, experts warn
A white padlock on a dark digital background.
Developers targeted by malicious Microsoft VSCode extensions
An abstract image of digital security.
Hundreds of GitHub repositories hijacked to trick users into downloading malware
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
Hands typing on a keyboard surrounded by security icons
Infostealers on the rise: the latest concern for organizational defenses
North Korean flag with a hooded hacker
North Korean hackers are posing as software development recruiters to target freelancers
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over