Ethical Hacking News
Malicious Python packages on PyPI have been downloaded thousands of times, posing a significant threat to sensitive data exfiltration. These packages masquerade as legitimate code but are actually designed to steal user data. In this article, we delve into the details of these malicious packages and explore the strategies developers can use to protect themselves from such threats.
Malicious Python packages were found on PyPI, a popular open-source software repository, with over 39,000 downloads.The packages, bitcoinlibdbfix and bitcoinlib-dev, stole sensitive data by overwriting legitimate code with malicious code.A third package, disgrasya, was discovered to be openly malicious, containing a script that targeted WooCommerce stores and tested stolen credit cards against real checkout systems.The attackers used disguising the packages as innocent libraries to gain user trust before exfiltrating sensitive data.Developers are advised to conduct thorough vulnerability assessments and penetration testing on their code to reduce the risk of exploitation.
Threat Intelligence Alert: Malicious Python Packages on PyPI Downloaded 39,000+ Times, Steal Sensitive Data
The world of cybersecurity is constantly evolving, and one area that has gained significant attention in recent times is the threat landscape surrounding open-source software repositories. Specifically, this article focuses on the malicious Python packages downloaded from the Python Package Index (PyPI) repository, which have been found to steal sensitive data.
Malicious Python packages are packages published on PyPI that contain code designed to harm or exploit users' systems. In recent times, two such packages, bitcoinlibdbfix and bitcoinlib-dev, have been discovered by cybersecurity researchers ReversingLabs, masquerading as fixes for recent issues detected in a legitimate Python module called bitcoinlib.
According to the report from ReversingLabs, both of these packages are designed to steal sensitive data. The malicious libraries attempt to overwrite the legitimate 'clw cli' command with malicious code that attempts to exfiltrate sensitive database files.
In addition to these two packages, Socket, a cybersecurity research team, discovered another package called disgrasya that was found to be openly malicious. This package contained a fully automated carding script targeting WooCommerce stores. The name of the package may raise some eyebrows, as it is stated to be Filipino slang for 'disaster' or 'accident'.
The purpose of this script is to test the validity of stolen credit cards against real checkout systems without triggering fraud detection systems. By embedding this logic inside a Python package published on PyPI and downloaded over 34,000 times, the attacker created a modular tool that could be easily used in larger automation frameworks.
This attack is notable for its use of disguising itself as an innocent library to gain user trust before exfiltrating sensitive data from users' systems. According to Socket, "By embedding this logic inside a Python package published on PyPI and downloaded over 34,000 times, the attacker created a modular tool that could be easily used in larger automation frameworks, making disgrasya a powerful carding utility disguised as a harmless library."
Furthermore, the script achieves its purpose by emulating the actions of a legitimate shopping activity. It programmatically finds a product, adds it to a cart, navigates to the WooCommerce checkout page, and fills the payment form with randomized billing details and the stolen credit card data.
The malicious payload was introduced in version 7.36.9, and all subsequent versions carried the same embedded attack logic. The script's functionality can be seen as an automated form of payment fraud, known as carding, which refers to an automated form of payment fraud in which fraudsters test a bulk list of stolen credit or debit card information against a merchant's payment processing system.
The authors of the counterfeit libraries have been found to have joined a GitHub issue discussion and unsuccessfully attempted to trick unsuspecting users into downloading the purported fix and running the library. This highlights the ever-evolving nature of threats in the cybersecurity world, where attackers continually adapt their tactics, techniques, and procedures (TTPs) to avoid detection.
In recent times, a growing concern has been raised about the use of open-source software repositories as a platform for malicious activity. The discovery of these malicious Python packages on PyPI serves as a stark reminder of the dangers lurking within seemingly innocuous code.
Threat actors are increasingly utilizing legitimate software and libraries to carry out their nefarious activities, making it challenging for users to discern between genuine and malicious content.
Cybersecurity experts recommend that users remain vigilant when downloading new software or libraries from open-source repositories. It is also essential for developers to conduct thorough vulnerability assessments and penetration testing on their code before publishing it to reduce the risk of being exploited by malicious actors.
In conclusion, the recent discovery of these malicious Python packages on PyPI highlights the need for cybersecurity awareness and vigilance when dealing with open-source software repositories. As the threat landscape continues to evolve, it is crucial for users and developers alike to stay informed about emerging threats and take proactive measures to protect themselves from falling prey to such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Malicious-Python-Packages-on-PyPI-A-Threat-to-Sensitive-Data-Exfiltration-ehn.shtml
https://thehackernews.com/2025/04/malicious-python-packages-on-pypi.html
https://undercodenews.com/malicious-python-packages-exposed-pypi-libraries-used-in-credit-card-theft-and-fraud/
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
https://cybersecuritynews.com/apt-attack/
Published: Sat Apr 5 05:11:46 2025 by llama3.2 3B Q4_K_M
