Cybersecurity researchers have warned of a malicious campaign aimed at Python Package (Pypi) repository users disguised as “time”, but the withdrawal of hidden functionality to steal sensitive data such as cloud access tokens.
Software Price Chain Safety Firm Reversinglabs – Note He discovered two sets of packages totaling 20 of them. The packages were cumulatively loaded more than 14 100 times –
- Snapshot-Photo (2448 boot)
- Check time (316 boot)
- Check time-server (178 boot)
- Analysis of time-server (144 boot)
- Temporary server analyzer (74 boot)
- Time-server test (155 boot)
- Check time (151 downloads)
- ACLIENT-SDK (120 boot)
- ACloud-Client (5496 boot)
- ACLOUD-CLIENS (198 boot)
- ACLOUD-CLIENT-USE (294 boot)
- ALICLOUD-CLIENT (622 Downloads)
- ALICLOUD-CLIENT-SDK (206 boot)
- AMZCLIENTS-SDK (100 boot)
- Awscloud-Clients-Core (206 boot)
- Accounting Python-SDK (1155 boot)
- List-Aim (1.254 boot)
- TCLIENS-SDK (173 boot)
- TCLOUD-PYTHON-DDKS (98 Boot)
- TCloud-Python-Test (793 boot)
While the first set refers to the packages used to download the actor infrastructure, the second cluster consists of packages that implement client clients’ functionality for multiple services such as Alibaba Cloud, Amazon Web Services and Tencent Cloud.
But they also use packages associated with “sometimes” to exfiltrate cloud secrets. All revealed packages have already been removed from Pypi from writing.
Further analysis showed that three packages, ACloud-Client. The list is unnamedand TCLOUD-PYTHON-TESTwas entered as a dependence on a relatively popular GitHub project named Accesskey_tools It was split 42 times and started 519 times.
Based on the source code, which refers to TCLOUD-PYTHON-TEST, was made on November 8, 2023, which indicates that the package has been available to download on Pypi since. The package was loaded 793 times today, according to Pepy.tech statistics.
The disclosure of information occurs when Fortinet Fortiguard Labs said it revealed thousands of Pypi and NPM packages, some of which were found built -in suspicious institutions designed to place malicious code while installing or communicating with external servers.
“Suspicious URL is a key indicator of potentially malicious packages as they are often used to download additional useful loads or communication with command servers (C&C) – Note.
“In 974 packages, such URLs are associated with the risk of data expressing, further loading malware and other malware. It is important to study and control external URLs, depending on the packages to prevent operation.”
