Malicious Package found on PyPI that hides behind Image and spread via GitHub
Check Point Research (CPR) detects a new malicious package on PyPI, the repository of software for the Python programming language. The malicious package was designed to hide code in images and infect through open-source projects on GitHub. CPR believes its findings reflect careful planning and thought by a threat actor, who proves that obfuscation techniques on PyPI have evolved.
· Infection designed to take place through GitHub 'legitimate' projects
· CPR shares image it found where malicious code was hidden behind
· CPR responsibly disclosed findings to PyPI, who removed threat
Check Point Research (CPR) detected a new malicious package on PyPI, the repository of software for the Python programming language. This malicious package is distinct in two ways:
It hides the malicious code inside an image
The main infection area is GitHub
Hiding Code in Images
CPR found that code was obfuscated inside the following image.
Infection via GitHub
The infection process goes as follows: searching the web for legitimate projects, one will come across these GitHub open-sourced projects and will install it locally, not knowing it brings in a malicious package import. From the installer point of view, they are trying an open-source project from GitHub, not knowing it hides a malicious Trojan part inside it.
Responsible Disclosure
CPR responsible disclosed its findings to PyPI, who quickly removed the malicious package.
Quote: Ori Abramovsky, Head of Data Science, SpectralOps (a Check Point company):
“We constantly scan PyPI for malicious packages and report them to PyPI. This one is unique and distinct from almost all the malicious packages we encounter on PyPI. This package differs in the way it camouflages its intent and in the way in which it targets PyPI users to infect with malicious imports on GitHub. Our findings indicate that PyPI malicious packages and their obfuscation techniques are fast-evolving. The malicious package we share here reflects careful and meticulous work. It is not the regular copy and past that we commonly see, but what seems like a real campaign. The creation of the GitHub projects, then smartly hiding the code, and downplaying the packages on PyPI – all sophisticated work.”
Safety Tips
* Use services like threat code scanners to double check the 3rd party packages
* Approach with suspicion. Even if you see a project on GitHub with stars and forks, it can be a synthetically generated fake view
* Double check and explore code you do not own
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.