Yet another campaign targeting Python Package Index (PyPI) repositories found six malicious packages deploying information stealers on developer systems.
Now-removed packages discovered by Phylum between December 22nd and December 31st, 2022 include pyrlogin, easytimestamp, disorder, discord-dev, style.py, and pythonstyles.
Malicious code is increasingly hidden in the setup scripts (setup.py) of these libraries, so a simple “pip install” command can launch the malware deployment process.
The malware launches a PowerShell script that retrieves a ZIP archive file, installs invasive dependencies such as pynput, pydirectinput, and pyscreenshot, and executes Visual Basic scripts extracted from the archive to execute more PowerShell code. is designed to
“These libraries let you control and monitor mouse and keyboard input and capture screen content,” Phylum said in a technical report published last week.
The rogue package can also collect cookies, saved passwords, and cryptocurrency wallet data from Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, Opera GX, and Vivaldi browsers.
However, in a novel technique employed by the attackers, the attack also attempts to download and install cloudflared, the command-line tool for Cloudflare Tunnel. The tool “provides a secure way to connect resources to Cloudflare without a publicly routable IP address.”
Simply put, the idea is to use a tunnel to remotely access a compromised machine through a Flask-based app. The Flask-based app contains a Trojan called xrat (although codenamed poweRAT by Phylum).
The malware allows attackers to execute shell commands, download remote files and execute them on the host, steal entire files and directories, and even execute arbitrary Python code.
The Flask application also supports a “live” feature that uses JavaScript to listen to mouse and keyboard click events and capture screenshots of the system in order to capture sensitive information entered by the victim.
“It’s like a RAT on steroids,” Phylum said. “All the basic RAT functionality is packed into a nice web GUI with basic remote desktop functionality and a stealer to boot!”
This finding is another window into how attackers are continuously evolving their tactics to target open source package repositories and launch supply chain attacks.
Late last month, Phylum also published a number of rogue npm modules that were found to steal environment variables from installed systems.
