29 malicious PyPI packages spotted delivering the W4SP Stealer

Cybersecurity researchers discovered 29 malicious PyPI packages delivering the W4SP stealer to developers’ systems.

Cybersecurity researchers have discovered 29 packages in the official Python Package Index (PyPI) repository designed to infect developers’ systems with an info-stealing malware dubbed W4SP Stealer.

“It appears that these packages are a more sophisticated attempt to deliver the W4SP Stealer on to Python developer’s machines by hiding a malicious import” states security firm Phylum. “Similar to this attacker’s previous attempts, this particular attack starts by copying existing popular libraries and simply injecting a malicious import statement into an otherwise healthy codebase.”

The attack started around October 12, 2022 and peaked on October 22. The malicious import was simply injected into either the setup.py or the init.py in the majority of packages, especially the earlier ones.

Threat actors changed tactics over the time and started taking advantage of Python’s seldomly used semicolon to hide the malicious code onto the same line as other legitimate code.

The researchers also observed the attacker attempting to evade detection without using the import statement in a few packages. In these cases, attackers used the setup.py file to try and pip install one of the other malicious packages that did have the malicious code.

Below is a list of the suspicious packages discovered by the experts:

typesutil

typestring

sutiltype

duonet

fatnoob

strinfer

pydprotect

incrivelsim

twyne

pyptext

installpy

faq

colorwin

requests-httpx

colorsama

shaasigma

stringe

felpesviadinho

cypress

pystyte

pyslyte

pystyle

pyurllib

algorithmic

oiu

iao

curlapi

type-color

pyhints
Collectively, the above packages have totaled more than 5,700 downloads.

“As this is an ongoing attack with constantly changing tactics from a determined attacker, we suspect to see more malware like this popping up in the near future” Phylum concludes.

Follow me on Twitter: @securityaffairs and Facebook

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, Log4Shell)

The post 29 malicious PyPI packages spotted delivering the W4SP Stealer appeared first on Security Affairs.