This article is part of in the series

python programming

People who are used to browsing and working in the pleasant waters of the internet have it good. They can enjoy their social media browsing, read more about Instagram marketing strategies and do other important things.

The thing is that they can do this with peace of mind because there are people on the internet who do their best to catch malicious actors.

In recent days, the situation with one of the most popular and essential programming languages, Python, has been rather intriguing.

Back in May this year The PyPI (Python Package Index) team temporarily suspended new projects and users on their platform due to malicious activity.

This malicious activity aligned with a larger trend observed across several open-source registries in months prior to May. The biggest issue was the flood of malicious packages on the NPM JavaScript package manager. There were over 140,000 malicious packages.

This raised some eyebrows.

PyPI experienced a sudden spike in package publications last week. For instance, a threat actor exploited three user accounts to publish numerous malicious packages, including one called “OaxStealer.” This malicious package contained encoded code that, when executed, downloaded a second piece of malware from a legitimate service called “replit.com.”

The main purpose of the downloaded malware was to steal sensitive data from victims, including credentials, file names, and screenshots. Pretty nasty.

This happened in May and it was handled. But, just when everyone thought June will be a better month, the people from Sonatype continued to uncover a significant number of malicious packages within the PyPI and npm software registries.

This is what we are going to discuss in this article.

How Deception Was Planned

When experts discovered the malicious packages, they realized that among the flagged packages were several Python packages published on PyPI, posing as legitimate libraries named after the popular npm “colors” library.

This can fool even the experienced people in the niche.

The malicious packages, including names such as “broke-rcl,” “brokescolors,” and “trexcolors,” exclusively targeted the Windows operating system. Once installed, they would initiate the download and execution of a trojan hosted on Discord’s servers.

Pretty sneaky, it has to be said.

The good people from Sonatype promptly reported these findings to PyPI. This, of course, prompted the removal of the malicious packages and the associated user account. Damage control at its finest.

Unfortunately, there was one more malicious package, “trexcolors,” which was also named after the npm “colors” library, was discovered to download and execute a trojan known as “trex.exe” upon installation.

This trojan, detected by VirusTotal, functions as a rather sophisticated stealer of data and incorporates evasion techniques to tamper with analysis and reverse engineering efforts.

It is used in corporate and engineering espionage.

Cross-platform malware: Libiobe Was Also Discovered

Like the previous packages we mentioned were not enough of a bad news, Sonatype identified a PyPI package named “libiobe,” likely inspired by the legitimate library “iobes.”

This bad boy targeted both Windows and Unix operating systems.

On Windows, the package deployed a trojan-infected executable, named “V0d220823bb829d3fcc62d10adf.exe,” which was concealed within the source code as a base64-encoded string.

Obfuscated code: FNBOT2, TAGADAY, and ZUPPA

We discussed malicious agents who were imitating the “colors” library, but Sonatype’s analysis unveiled obfuscated code in packages named FNBOT2, TAGADAY, and ZUPPA.

These showcased eerily similar patterns observed in previous instances of cryptominer attacks, utilising six variables named magic, love, god, destiny, joy, and trust.

You can bet that this is pretty effective.

The obfuscation technique employed is commonly facilitated by online tools, such as the one provided by development-tools.net.

Final Word

It is safe to say that the wondrous Sonatype’s discovery of these malicious packages simply shows that the internet can be a hostile place riddled with persistent threats faced by open-source software registries like the beloved PyPI and npm.

Sure, the packages and malicious agents that were discovered may not introduce the worst kind of threat, they definitely show how nasty and common attempts by malicious actors to exploit vulnerabilities in open-source ecosystems can be.