- Aug 17, 2017
A malicious package that mimics the VMware vSphere connector module ‘vConnector’ was uploaded on the Python Package Index (PyPI) under the name ‘VMConnect,’ targeting IT professionals. VMware vSphere is a virtualization tools suite, and vConnector is an interfacing Python module used by developers and system administrators, downloaded roughly 40,000 a month via PyPI. According to Sonatype’s researcher and BleepingComputer’s reporter, Ax Sharma, the malicious package uploaded onto PyPI on July 28, 2023, gathered 237 downloads until its removal on August 1, 2023.
Sonatype’s investigation revealed two more packages with identical code as ‘VMConnect,’ namely ‘ethter’ and ‘quantiumbase,’ downloaded 253 and 216 times, respectively. The ‘ethter’ package mimics the legitimate ‘eth-tester’ package, which has over 70,000 monthly downloads, while ‘quantiumbase’ is a clone of the ‘databases’ package, which is downloaded 360,000/month. All three malicious packages featured the functionality of the projects they mimicked, which could trick victims into believing they are running legitimate tools and prolong the duration of an infection.