Windows PCs are now being hit by dangerous malware — here's the steps you need to take to stay safe

The Python banner logo on a computer screen running a code editor.
(Image credit: Shutterstock / Trismegist san)

It’s been a while since we heard about malware hiding in PyPI packages, but researchers have now reported finding almost a dozen lurking on the open source Python Package Index (PyPI) repository.

Cybersecurity researchers from Fortinet’s FortiGuard Labs found nine packages delivering the WhiteSnake Stealer. The packages are called nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111. WhiteSnake is a Windows infostealer, capable of working around antivirus programs, and communicates with the C2 server via the Tor protocol, the researchers explained.

Its main function is to steal information from the compromised endpoints, and execute various commands. The information it’s after is mostly data from web browsers, cryptocurrency wallets and browser add-ons, and important apps such as Discord, Signal, Telegram, and similar. 

Eyes on cryptos

Some of the packages were also observed carrying a more advanced version of the malware that also comes with a clipboard monitor and an overwrite feature. This feature is designed to assist in cryptocurrency theft, as people wanting to send their tokens from one address to another will almost always copy and paste the receiving address, instead of typing it out. With this malware, the attackers can replace the copied wallet address with one belonging to them, having the victim send their funds to the wrong address. 

PyPI is one of the world’s largest and most popular Python package repositories. As such, it’s a frequent target by threat actors who mostly do two things: either create an entirely new malicious package, or engage in typosquatting - creating a package similar to a legitimate one, and naming it almost exactly the same. That way, the developers can mistakenly install the malicious one. 

Developers are urged to be vigilant when using PyPI and similar services and always make sure they’re downloading a legitimate package. They should look out for strange typos, inconsistent download numbers, and user reviews.

Via The Hacker News

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.