Why should you be careful when installing PyPI packages?
The Fortinet FortiGuard Labs team found malicious packages in the Python Package Index (PyPI) repository that deliver the WhiteSnake Stealer infostiler to Windows systems.
Packages containing malware are called nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111. They were uploaded by an attacker named "WS". Packages include setup in their files.py source code for PE (Portable Executable) or other Python scripts in Base64 encoding. This code is activated when packages are installed on users ' computers.
On Windows systems, the WhiteSnake Stealer virus steals information, and on Linux systems, it runs a Python script to collect data. The attack primarily targets Windows users and is linked to a campaign previously reported by JFrog and Checkmarx.
The Windows-specific payload was identified as a variant of the WhiteSnake malware, which has a mechanism for protecting against virtual machines, communicates with the Command and Control (C2) server via the Tor protocol, and is also able to steal information from the victim and execute commands.
WhiteSnake Stealer also collects data from web browsers, cryptocurrency wallets, and applications such as WinSCP, CoreFTP, Windscribe, Filezilla, AzireVPN, Snowflake, Steam, Discord, Signal, and Telegram.
Checkmarx attributes the campaign to a threat actor under the pseudonym PYTA31, stating that the ultimate goal of the attacker is to exfiltrate sensitive data from the target machines.
Some of the malicious packages include the clipper function, which allows you to replace the clipboard contents with malicious wallet addresses for unauthorized transactions. Other packages are aimed at stealing data from browsers, apps, and cryptoservices.
Fortinet emphasizes that this finding demonstrates the ability of a single malware author to distribute multiple packages to steal information in the PyPI library, each of which has its own unique features.
The Fortinet FortiGuard Labs team found malicious packages in the Python Package Index (PyPI) repository that deliver the WhiteSnake Stealer infostiler to Windows systems.
Packages containing malware are called nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111. They were uploaded by an attacker named "WS". Packages include setup in their files.py source code for PE (Portable Executable) or other Python scripts in Base64 encoding. This code is activated when packages are installed on users ' computers.
On Windows systems, the WhiteSnake Stealer virus steals information, and on Linux systems, it runs a Python script to collect data. The attack primarily targets Windows users and is linked to a campaign previously reported by JFrog and Checkmarx.
The Windows-specific payload was identified as a variant of the WhiteSnake malware, which has a mechanism for protecting against virtual machines, communicates with the Command and Control (C2) server via the Tor protocol, and is also able to steal information from the victim and execute commands.
WhiteSnake Stealer also collects data from web browsers, cryptocurrency wallets, and applications such as WinSCP, CoreFTP, Windscribe, Filezilla, AzireVPN, Snowflake, Steam, Discord, Signal, and Telegram.
Checkmarx attributes the campaign to a threat actor under the pseudonym PYTA31, stating that the ultimate goal of the attacker is to exfiltrate sensitive data from the target machines.
Some of the malicious packages include the clipper function, which allows you to replace the clipboard contents with malicious wallet addresses for unauthorized transactions. Other packages are aimed at stealing data from browsers, apps, and cryptoservices.
Fortinet emphasizes that this finding demonstrates the ability of a single malware author to distribute multiple packages to steal information in the PyPI library, each of which has its own unique features.
