Researchers Uncover Obfuscated Malicious Code in PyPI Python Packages


Level 85
Thread author
Honorary Member
Top Poster
Content Creator
Malware Hunter
Aug 17, 2014
Four different rogue packages in the Python Package Index (PyPI) have been found to carry out a number of malicious actions, including dropping malware, deleting the netstat utility, and manipulating the SSH authorized_keys file.

The packages in question are aptx, bingchilling2, httops, and tkint3rs, all of which were collectively downloaded about 450 times before they were taken down. While aptx is an attempt to impersonate Qualcomm's highly popular audio codec of the same name, httops and tkint3rs are typosquats of https and tkinter, respectively.

"Most of these packages had well thought out names, to purposely confuse people," security researcher and journalist Ax Sharma said.

An analysis of the malicious code injected in the setup script reveals the presence of an obfuscated Meterpreter payload that's disguised as "pip," a legitimate package installer for Python, and which can be leveraged to gain shell access to the infected host.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.