PyPI, the Python Package Index, has initiated a temporary halt on new user registrations and project creations in response to an ongoing malware campaign.
As a renowned index for Python projects, PyPI assists developers in discovering and installing Python packages. However, due to its extensive library of packages, it has become a prime target for threat actors who frequently upload typo-squatted or counterfeit packages, posing risks to software developers and potentially facilitating supply-chain attacks.
PyPI administrators made the decision last week to suspend all new user registrations to address the surge in malicious activity.
The malware campaign, as reported by Checkmarx, commenced last week with the uploading of 365 packages to PyPI, each bearing names closely resembling legitimate projects. These packages contain malicious code embedded within their 'setup.py' files, which is executed during installation, aiming to retrieve additional payloads from remote servers.
To evade detection, the malicious code is encrypted using the Fernet module, with the remote resource's URL dynamically constructed as needed. The ultimate payload is an info-stealer equipped with persistence capabilities, targeting data stored in web browsers, including login credentials, cookies, and cryptocurrency extensions.
Checkmarx's report provides a comprehensive list of identified malicious entries, featuring numerous variations of typo-squatted names mimicking legitimate packages. Additionally, Check Point's report reveals that over 500 malicious packages were deployed in two stages. Each package originated from distinct maintainer accounts, with unique names and emails, suggesting the use of automation in orchestrating the attack.
All entries shared the same version number, contained identical malicious code, and featured randomly generated names, according to Check Point's findings.
This incident underscores the critical importance for software developers and package maintainers to diligently verify the authenticity and security of components sourced from open-source repositories for their projects.
This is not the first instance of PyPI taking decisive action to protect its community from malicious submissions. Similar measures were implemented last year on May 20th by the repository's maintainers.