More PyPI packages stealing data have been discovered

By Scott Marlette Last updated Feb 13, 2023

Cybercriminals have managed to once again smuggle a couple of malicious packages into the Python Package Index (PyPi), putting both Python developers, and users, at risk of data theft (opens in new tab).

The packages were discovered by cybersecurity researchers from Fortinet, who uncovered five seperate entities totaling just above 600 downloads.

The packages are called “3m-promo-gen-api”, “Ai-Solver-gen”, “hypixel-coins”, “httpxrequesterv2”, and “httpxrequester”, and seem to have been uploaded on January 27, being available for download for roughly two days before being removed.

Stealing sensitive data

The packages were designed to steal all sorts of sensitive information, including passwords saved in Chrome, Opera, Edge, Brave, and other browsers, authentication cookies for Discord, and wallet data for the Atomic Wallet and Exodus cryptocurrency wallets. Furthermore, the packages targeted a number of websites, in search of sensitive information, including Coinbase, Gmail, PayPal, eBay, and others.

The packages also look for certain keywords relating to banking, passwords, multi-factor authentication (MFA), and other sensitive information. If found, they’d steal them using the “transfer.sh” file transfer service.

While Fortinet’s researchers weren’t able to link the malicious packages to any existing infostealers, BleepingComputer claims that the attackers were actually distributing the W4SP stealer. This infostealer has allegedly become “heavily abused” in PyPI packages, the publication claims. Some of the keywords were in French, leading the researchers to believe that the attackers were of French origin.

PyPI is arguably the world’s most popular Python package repository, hosting more than 200,000 packages that developers can use to speed up their development process. As such, it’s a major target for cybercriminals, and news of infostealers being discovered in Python packages has been getting more frequent.

Most of the time, the attackers would impersonate a legitimate package, hoping that the developers would be too distracted, or lazy, to double-check the authenticity of the code they’re grabbing.

Via: BleepingComputer (opens in new tab)

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.