W4SP Stealer Stings Python Developers in Supply Chain Attack

[upnorth]

Content source

https://www.darkreading.com/threat-intelligence/w4sp-stealer-aims-to-sting-python-developers-in-supply-chain-attack

Attackers continue to create fake Python packages and use rudimentary obfuscation techniques in an attempt to infect developers' systems with the W4SP Stealer, a Trojan designed to steal cryptocurrency information, exfiltrate sensitive data, and collect credentials from developers' systems.

According to an advisory published this week by software supply chain firm Phylum, a threat actor has created 29 clones of popular software packages on Python Package Index (PyPI), giving them benign-sounding names or purposefully giving them names similar to legitimate packages, a practice known as typosquatting. If a developer downloads and loads the malicious packages, the setup script also installs — through a number of obfuscated steps — the W4SP Stealer Trojan. The packages have accounted for 5,700 downloads, researchers said.

While W4SP Stealer targets cryptocurrency wallets and financial accounts, the most significant objective of the current campaigns appears to be developer secrets, says Louis Lang, co-founder and CTO at Phylum.

W4SP Stealer Stings Python Developers in Supply Chain Attack

Threat actors continue to push malicious Python packages to the popular PyPI service, striking with typosquatting, authentic sounding file names, and hidden imports to fool developers and steal their information.

www.darkreading.com

 

[upnorth]

Researchers from Phylum and Check Point earlier this month reported seeing new malicious packages on PyPI, a package index for Python developers. Analysts at Checkmarx this week connected the same attacker to both reports and said the operator is still releasing malicious packages.

A Checkmarx report detailed hundreds of successful infections of the WASP info-stealer malware, and found a number of interesting features to ensure persistence in a compromised PC and to evade cybersecurity tools. "The attack seems related to cybercrime as the attacker claims that these tools are undetectable to increase sales," wrote Jossef Harush, Checkmarx's head of engineering, noting that the malware's developer claims WASP is undetectable.

PyPI, an open source repository used by developers to share Python packages used in projects, is an increasingly popular target in software supply chain attacks for uploading malicious code via fake packages. The malicious packages are given names that sound legitimate or are similar to real packages, a technique called typosquatting. Developers are therefore fooled into using booby-trapped packages that appear to be useful and legit.

Check Point noted that such packages used for attacks on open source operations – not only PyPI but also others, like NPM – usually involve three steps: malicious code to download and run a virus, carrier code for sneaking the malicious code in, and luring victims – such as through typosquatting – to install the malicious package. The community behind PyPI in August warned about the first-known phishing attack against its users. The malicious package becomes an initial infection point if a developer loads it onto their system, with other malware following – in this case, the WASP (also referred to as W4SP) info-stealing trojan.

WASP malware stings Python developers

Info-stealing trojan hides in malicious PyPI packages on GitHub

www.theregister.com