Python programming libraries found hiding security threats

A developer writing code
(Image credit: Shutterstock / Elle Aon)

Threat actors have been using typosquatting to attack Python developers with malware, researchers have claimed.

Experts from Spectralops.io recently analyzed PyPI, a software repository for Python programmers, and found ten malicious packages on the platform. All of these were given names that are almost identical to the names of legitimate packages in order to dupe developers into downloading, and adopting, the tainted ones.

This type of attack is called typosquatting, and is a common occurrence among cybercriminals. It’s not used just on code repositories (although we’ve seen numerous instances on GitHub, for example, in the past), but also in phishing emails, fake websites, and in identity theft.

Thousands of developers at risk

Should the victims adopt these packages, they’d be giving threat actors keys to their kingdoms, given that the malware enables private data theft, as well as the theft of developer credentials. The attackers would then send the data to a third party, with the victims never knowing what happened. As of today, Spectralops reminds, PyPi has more than 600,000 active users, suggesting that the threat landscape is quite large.

“These attacks rely on the fact that the Python installation process can include arbitrary code snippets, which is a place for malicious players to put their malicious code at,” explained Ori Abramovsky, Data Science Lead at Spectralops.io. “We discovered it using machine learning models which analyze the code of these packages and auto alert on the malicious ones.”

Here’s the full list of the affected packages: 

  • Ascii2text
  • Pyg-utils, Pymocks and PyProto2
  • Test-async
  • Free-net-vpn and Free-net-vpn2 
  • Zlibsrc
  • Browserdiv, 
  • WINRPCexpoit 

The researchers reached out to PyPI which, soon after, removed the malicious packages from its repository. Still, developers that downloaded them in the past are still at risk, and should refresh their passwords and other login credentials, just in case.

“What’s remarkable here is just how common these malicious packages are,” Abramovsky continued. “They are simple, yet dangerous. Personally, once I encountered these types of attacks, I started double checking every Python package I use. Sometimes I even download it and manually observe its code prior to installing it.”

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.