Open source repositories, such as the Python Package Index (PyPI), are critical components of the software supply chain. Unfortunately, these repositories can also be the source of malicious code that threatens the security and privacy of users. In recent months, researchers have uncovered a number of rogue packages in PyPI that carry out harmful actions, including dropping malware, deleting important utilities, and manipulating system files.
The latest discovery of four malicious packages in PyPI highlights the growing risk of malicious code in open source repositories. The packages, named aptx, bingchilling2, httops, and tkint3rs, were collectively downloaded about 450 times before they were taken down. According to security researcher Ax Sharma, most of these packages had well thought-out names to confuse people. An analysis of the code reveals the presence of an obfuscated Meterpreter payload disguised as the legitimate “pip” package installer. This payload can be used to gain shell access to the infected host. Additionally, the malware also removes the “netstat” utility and modifies the “.ssh/authorized_keys” file to set up an SSH backdoor for remote access.
Unfortunately, these findings are not isolated incidents. Fortinet FortiGuard Labs recently uncovered five different Python packages that are designed to harvest and exfiltrate sensitive information. The malicious packages were named web3-essential, 3m-promo-gen-api, ai-solver-gen, hypixel-coins, httpxrequesterv2, and httpxrequester.
These disclosures come as ReversingLabs shed light on a malicious npm module named aabquerys, which masquerades as the legitimate abquery package. The obfuscated JavaScript code includes the capability to retrieve a second-stage executable from a remote server. This executable contains a known vulnerable Avast proxy binary that can be exploited for DLL side-loading attacks. This allows the threat actor to invoke a malicious library and fetch a third-stage component, Demon.bin, from a command-and-control (C2) server. Demon.bin is a malicious agent with typical remote access trojan (RAT) functionalities and was generated using an open-source, post-exploitation, command-and-control framework named Havoc.
The findings of these recent discoveries underscore the importance of being vigilant and proactive in protecting against malicious code hiding in open source repositories. Organizations can train their employees to identify and avoid malicious packages, as well as implement robust security solutions to detect and prevent the spread of malware. In the event of a successful attack, organizations should also have a plan in place for forensic analysis and recovery to minimize the damage.
In conclusion, while open source repositories like PyPI and npm provide access to a vast array of useful packages and tools, they also pose a serious threat to the security and privacy of users. It is important for organizations and individuals to stay informed about the latest threats and take necessary measures to protect themselves.