Unauthorized Persons Issuing Harmful Python Packages through Well-known Developer Forum
In a newly discovered indication that wrongdoers are continually exploring fresh methods to deceive individuals into obtaining harmful software, recent findings reveal that the community-based platform known as Stack Exchange has been exploited to redirect unwitting developers to fake Python packages designed to deplete their digital currency holdings.
As stated in a report shared by Checkmarx researchers Yehuda Gelb and Tzachi Zornstain with The Hacker News, “Upon installation, this code would automatically trigger a systematic series of actions aimed at compromising and taking control of the victim’s systems, as well as extracting their data and draining their cryptocurrency wallets.”
The fraudulent operation, which commenced on June 25, 2024, specifically targeted cryptocurrency enthusiasts involved in Raydium and Solana. The roster of deceptive packages uncovered in this scheme is documented below –
To date, these packages have collectively garnered 2,082 installations. Regrettably, they can no longer be obtained from the Python Package Index (PyPI) repository.
The malicious code hidden within these packages functioned as a comprehensive data siphoner, capturing a broad spectrum of data that includes web browser access credentials, cookies, credit card particulars, digital currency wallets, and information linked to messaging platforms like Telegram, Signal, and Session.
Moreover, the code was equipped to take screen captures of the system and hunt for files containing GitHub recovery codes and BitLocker keys. Following extraction, the harvested data was compressed and transmitted to two separate Telegram bots maintained by the malicious actor.
Additionally, a hidden component in the malicious code established a backdoor, granting the attacker persistent remote entry to the victim’s devices, thereby enabling the potential for future exploitations and prolonged compromise.
According to reports, the attack sequence encompasses multiple phases, with the “raydium” package citing “spl-types” as a requisite in an effort to camouflage the malicious activities and offer users the false impression of legitimacy.
An intriguing facet of this stratagem is the incorporation of Stack Exchange as a strategy to accelerate adoption by distributing apparently helpful answers mentioning the aforementioned package in order to guide developers regarding conducting swap transactions in Raydium through Python in the associated developer inquiries.
“By opting for a thread with high visibility, attaining thousands of views, the offender maximized the potential outreach,” as stated by the researchers, emphasizing the move was intended to “endorse this package’s credibility and guarantee vast acceptance.”
Despite the apparent unavailability of the mentioned answer on Stack Exchange, clues about “raydium” were discovered in another unanswered query posted on the Q&A platform on July 9, 2024: “I’ve been struggling for several nights to execute a swap on Solana network using Python 3.10.2, having installed Solana, solders, and Raydium, but I’m unable to achieve the desired outcome,” as shared by a user.
References to “raydium-sdk” have also been observed in an article titled “How to Acquire and Dispose of Tokens on Raydium through Python: An Elaborate Solana Guide” disseminated by a user under the alias SolanaScribe on the social publishing platform Medium on June 29, 2024.
The exact timeline of the removal of these packages from PyPI remains uncertain, given that additional users have engaged with the Medium post seeking guidance on the installation of “raydium-sdk,” as recent as six days back. Checkmarx has assured The Hacker News that the Medium post is not the handiwork of the malicious actor.
This development echoes previous incidents where malevolent elements have resorted to such techniques for disseminating malware. Just earlier this May, Sonatype exposed how a package dubbed pytoileur was promoted via another Q&A service dubbed Stack Overflow to facilitate illicit cryptocurrency appropriation.
This episode underscores the fact that wrongdoers are manipulating trust in these community-centric platforms to circulate malware, resulting in widespread supply chain intrusions.
“A single compromised developer can inadvertently introduce vulnerabilites across an entire firm’s software environment, potentially impacting the entire corporate network,” cautioned the researchers. “This attack stands as a cautionary signal for individuals and organizations alike to reevaluate their security strategies.”
This event coincided with a revelation by Fortinet FortiGuard Labs concerning a risky PyPI package named zlibxjson, which harbored functionalities for exfiltrating sensitive data such as Discord tokens, cookies saved in Google Chrome, Mozilla Firefox, Brave, and Opera, in addition to stored browser passwords. This utility attracted a total of 602 downloads before it was eliminated from PyPI.
“Such actions can result in unauthorized access to user accounts and pilfering of personal data, categorizing the software as malicious without ambiguity,” remarked security analyst Jenna Wang stated.
About Author
