Published on Nov 10, 2022
Researchers have discovered 29 packages in PyPI, the official third-party software repository for the Python programming language, that are designed to infect developers with malware called W4SP Stealer.
Phylum, a software supply chain security company, said in a report published this week that the main attack seems to have begun around October 12, 2022, before picking up steam to a concentrated effort around October 22.
Typeutil, typestring, sutiltype, duonet, fatnoob, strinfer, pydprotect, incrivelsim, twyne, pyptext, installpy, FAQ, colorwin, requests-httpx, colorsama, shaasigma, stringe, felpesviadinho, cypress, pystyte, pyslyte, pystyle, pyurllib, algorithmic, oiu, IAO, curlapi, type-color, and pyhints are among the packages that are offending.
Combined, the packages have been downloaded more than 5,700 times, with some libraries (such as twyne and colorsama) relying on typosquatting to trick users into downloading them.
A malicious import statement is inserted in the packages’ “setup.py” script in order to launch a Python script that fetches the malicious code from a remote server using the fraudulent modules.
It is an open source Python-based trojan that is capable of pilfering files of interest, passwords, browser cookies, system metadata, Discord tokens, as well as data from the MetaMask, Atomic, and Exodus cryptocurrency wallets.
It is not the first time that W4SP Stealer has been delivered via seemingly benign packages in the PyPI repository. Kaspersky discovered two libraries called pyquest and ultrarequests that were used to deploy the malware.
As a result of these findings, it is evident that open source ecosystems are being abused to propagate malicious packages designed to harvest sensitive information and compromise supply chains.
According to Phylum, “since this is an ongoing attack with constantly changing tactics from a determined attacker, we expect to see more malware similar to this in the future.”
