Malicious Python packages found stealing data - here's how to stay safe

News
By Sead Fadilpašić
published

Be careful which Python packages you're downloading

coding
(Image credit: Shutterstock / Gorodenkoff)

Someone has been slipping infostealers into Python code repositories since April 2023, stealing people’s sensitive information, login credentials, and cryptocurrency.

A report from cybersecurity analysts Checkmarx claims that over the past six months, “hundreds” of infostealers have been added, through 272 Python packages, to open-source code-sharing platforms, which were then downloaded some 75,000 times. 

The infostealers have evolved through time, from more modest beginnings, to infostealing behemoths capable of stealing all kinds of personal, sensitive information.

Big money

Thus, today, the malware will check if an antivirus is running on the compromised endpoint, look for tasks lists, Wi-Fi passwords, system information, credentials, browsing history, cookies, and payment information saved in the browser, cryptocurrency data from wallet apps, Discord badges, phone numbers, email addresses, Minecraft data, and Roblox data. If that wasn’t enough, it will also make screenshots and outright upload data it deems important.

Some newer versions also look to exfiltrate Telegram data, and have a way of disabling the antivirus. 

Finally, the infostealers will keep tabs on the victims’ clipboards for signs of crypto wallet addresses and swap them out with addresses belonging to the attackers. That way the victims would, unknowingly, send their funds to the attackers, rather than to whomever they intended. 

Checkmarx says the attackers netted some $100,000 in cryptocurrencies so far. 

Open-source Python repositories are popular places, with hundreds of thousands of developers from organizations of all sizes sharing important snippets of code. It also makes them a popular target for hackers looking for a way into corporate infrastructure, where they can wreak all kinds of damage. 

PyPI, for example, is forced to remove packets and ban accounts on a daily basis, to protect its users, and was even forced to bring in mandatory multi-factor authentication (MFA) to slow down the onslaught of malicious new accounts.

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.