Several malicious Python .whl files containing a new type of malware called “Kekw” have been found on PyPI (Python Package Index).
According to new data from Cyble Research and Intelligence Labs (CRIL), Kekw malware can steal sensitive information from infected systems, perform clipper activity, and hijack cryptocurrency transactions.
“Our investigation found that the Python package under scrutiny did not exist in the PyPI repository, indicating that the Python security team had removed the malicious package,” CRIL published Wednesday. I am writing an advisory.
“moreover, [we] It was verified by the Python Security Team on February 5th, 2023 and confirmed that the malicious package was removed within 48 hours of being uploaded. “
The packages were removed so quickly that Cyble says it cannot determine how many people downloaded them.
“Nevertheless, we believe the impact of the incident may have been minimal,” reads the advisory.
Commenting on the news, Mike Parkin, senior technical engineer at Vulcan Cyber, said the package is a prime example of the supply chain attacks that attackers are favoring today. He also acknowledged that the team running the repository handled the situation appropriately.
Read more about supply chain security: CISA advises FCC risk management list
“It’s not realistic to expect public repositories to do the work for you. They do a lot, but you can expect attackers to continue using this approach. The responsibility for due diligence ultimately lies with the developer,” added Parkin.
John Bambenek, Netenrich’s lead threat hunter, commented more generally that the advantage of open source software and libraries is that they rapidly improve the productivity and outcomes of software engineering efforts, but the downside is that threats Anyone can attack, including actors. Contribute code.
“Malicious activity like this can be spotted quickly, but open source software efforts don’t have large SOCs that protect their efforts from malicious code injection,” says Security. expert added.
Just a few months ago, Sonatype discovered a significant number of malicious packages on the npm and PyPI open source registries.
