Open source packages downloaded an estimated 30,000 times from the PyPI open source repository contained malicious code that surreptitiously stole credit card data and login credentials and injected malicious code on infected machines, researchers said on Thursday.

In a post, researchers Andrey Polkovnichenko, Omer Kaspi, and Shachar Menashe of devops software vendor JFrog said they recently found eight packages in PyPI that carried out a range of malicious activity. Based on searches on https://pepy.tech, a site that provides download stats for Python packages, the researchers estimate the malicious packages were downloaded about 30,000 times.

Systemic threat

The discovery is the latest in a long line of attacks in recent years that abuse the receptivity of open source repositories, which millions of software developers rely on daily. Despite their crucial role, repositories often lack robust security and vetting controls, a weakness that has the potential to cause serious supply chain attacks when developers unknowingly infect themselves or fold malicious code into the software they publish.

“The continued discovery of malicious software packages in popular repositories like PyPI is an alarming trend that can lead to widespread supply chain attacks,” JFrog CTO Asaf Karas wrote in an email. “The ability for attackers to use simple obfuscation techniques to introduce malware means developers have to be concerned and vigilant. This is a systemic threat, and it needs to be actively addressed on several layers, both by the maintainers of software repositories and by the developers.”

The researchers thanked PyPI maintainer Dustin Ingram “for quickly responding and removing the malicious packages” when notified. Ingram didn’t immediately respond to a request for comment.

Different packages from Thursday’s haul carried out different kinds of nefarious activities. Six of them had three payloads, one for harvesting authentication cookies for Discord accounts, a second for extracting any passwords or payment card data stored by browsers, and the third for gathering information about the infected PC, such as IP addresses, computer name, and user name.

The remaining two packages had malware that tries to connect to an attacker-designated IP address on TCP port 9009, and to then execute whatever Python code is available from the socket. It’s not now known what the IP address was or if there was malware hosted on it.

Like most novice Python malware, the packages used only a simple obfuscation such as from Base64 encoders. Here’s a breakdown of the packages:

Package name	Maintainer	Payload
noblesse	xin1111	Discord token stealer, Credit card stealer (Windows-based)
genesisbot	xin1111	Same as noblesse
aryi	xin1111	Same as noblesse
suffer	suffer	Same as noblesse , obfuscated by PyArmor
noblesse2	suffer	Same as noblesse
noblessev2	suffer	Same as noblesse
pytagora	leonora123	Remote code injection
pytagora2	leonora123	Same as pytagora

Karas told me that the first six packages had the ability to infect the developer computer but couldn’t taint the code developers wrote with malware.

“For both the pytagora and pytagora2 packages, which allows code execution on the machine they were installed, this would be possible.” he said in a direct message. “After infecting the development machine, they would allow code execution and then a payload could be downloaded by the attacker that would modify the software projects under development. However, we don’t have evidence that this was actually done.”

Beware of ‘Frankenstein’ malware packages

Rather than spending days developing code that performs everyday tasks, coders can instead turn to repositories like PyPI, RubyGems, or npm to obtain mature app packages that peers have already developed. Among the 2.7 million packages available on PyPI, for example, are ones developers can use to make apps ​​predict a home’s selling price using data scraped from the Internet, send emails through Amazon’s Simple Email Service, or check open source code for vulnerabilities. PyPI provides packages for software written in Python, while RubyGems and npm provide packages for Ruby and JavaScript apps.

This crucial role makes repositories the ideal setting for supply-chain attacks, which have grown increasingly common using techniques known as typosquatting or dependency confusion.

Repository supply-chain attacks date back to at least 2016, when a college student uploaded malicious packages to PyPI. Over a span of several months, his imposter code was executed more than 45,000 times on more than 17,000 separate domains, and more than half the time his code was given all-powerful administrative rights.
Since then, supply-chain attacks have become a regular occurrence for RubyGems and npm.
In recent months, white hat hackers have cooked up a new type of supply-chain attack that works by uploading malicious packages to public code repositories and giving them a name that’s identical to a package stored in the internal repository for a popular piece of software. These so-called dependency confusion attacks have already snared Apple, Microsoft, and 33 other companies.

The JFrog researchers said that, based on the current state of repository security, the Internet is likely to see more attacks in the future.

“Almost all of the code snippets analyzed in this research were based on known public tools, with only a few parameters changed,” they wrote. “The obfuscation was also based on public obfuscators. We expect to see more of these ‘Frankenstein’ malware packages stitched from different attack tools (with changed exfiltration parameters).”