Researchers at security companies Checkmarx and Phylum have identified malicious packages in the PyPi repository for Python, noting several methods used to disguise the attack and attract developers.
Uploads of these particular packages began last month, targeting users of Alibaba Cloud, Tencent cloud, telegram, and AWS. The purpose was to steal credentials and secret keys, presumably to enable further attacks on the victim companies, or to steal their resources.
The techniques used were:
- Typesquatting: naming a package to be similar to a popular one in case a developer mistypes the name.
- Starjacking: linking a package to an unrelated repository on GitHub that has plenty of stars, suggesting popularity. According to Checkmarx, there is no validation of these links on PyPi, Yarn (JavaScript repository) or NPM (also JavaScript).
- Hidden functions: most of the code in the malicious packages was the same as the genuine package that was copied, but just a couple of lines were added to one function. This means everything appears to work fine most of the time.
- Copying GitHub packages. Some popular Python projects on GitHub do not have corresponding packages in PyPi. This leaves the way open for a criminal to create a matching package, slightly modified to add a payload, and exploit the fact that developers may be searching for it.
The Checkmarx researchers suggest that “for those maintaining popular projects on GitHub, having, at the very least a placeholder package on platforms like PyPi can act as a safeguard, preventing opportunistic attackers from exploiting the absence of legitimate packages.”
Some of the same malicious packages were also spotted by Phylum, another software supply chain security company. Phylum reports that a further two packages were published on October 11th using these same tactics, but further obscuring the malicious code. A package called alisdkcore includes code that attempt to post credentials to the attacker’s server. In this code “instead of exposing the POST request in plain text, they’ve attempted to obfuscate the entire POST request by calling exec() on a large Base64-encoded string that’s dynamically decoded at runtime.”
Phylum also notes that the malicious packages appear to work as normal. “By embedding the malicious code snippet into an existing legitimate codebase, the attacker sought to preserve the original functionality of the package while eluding detection by maintaining the expected utility,” the company states.