This Week in Malware – 450 Packages and a Phishing Campaign Against PyPI Maintainers
This week in malware we discovered and analyzed 450 packages flagged as malicious, suspicious, or dependency confusion attacks.
Also, this week a phishing email campaign targeted PyPI maintainers in attempts to compromise accounts and inject malware into the registry’s packages.
Additionally, Sonatype’s director of information security explored the connection between security and procurement.
Ongoing phishing: email campaign still trying to catch PyPI maintainers unawares
An ongoing phishing attack seeks to steal PyPI maintainer credentials and lace their legitimate packages with malware.
Reportedly the first known phishing campaign against PyPI, the scheme attempts to fool maintainers into running a purported Google-implemented “mandatory validation process” or risk removal from the registry.
Any unsuspecting developer who clicks through and provides credentials via a lookalike login page unknowingly exposes their packages for abuse. Hijacked versions of packages then download a malware file from a remote server.
PyPI removed affected releases, such as ‘spam’ (versions 2.0.2 and 4.0.2) and ‘exotel’ (version 0.1.6), froze compromised maintainer accounts, and removed “several hundred typosquats that fit the same pattern.” Registry admins remain in active review to identify any additional malicious releases.
For more information, see Ax Sharma’s BleepingComputer article.
The long list of this week’s malicious packages
We caught the following this week via Sonatype’s automated malware detection system, offered as a part of Nexus Firewall:
-gzip-ize
-harseurl
-redux-forjm
3exprem
4eatstrap
5blong
5rn
5string
6jestlr
7unzp
8bula
9args
9mz
@retail-core/rds
@tanver/vulnerable-code
a
acala-launch
adm-gp
ahtts
alidurl
amelcsxe
amll
annoisd
ansiescapeks
anypoint-component-site
apollocli8ent
apollxo-clfient
apth-exists
autocomplete-core
autocomplete-ui
autoprefirx
avalanche-smart-contract-quickstart
b4lesised
bab3el-regyster
babel-plugin-transfvrm-rvntime
babel-polyflil
babel-preset-reatc
babelspolyfil
babenlcodre
babetyopes
baeltraverse
baseu64js
bconffee-script
bdesse
bdfen
bfjus
bfrf
bi9
biuill
bn.sj
bodyfpvarser
bootlstap
browsersilst
brsolve-from
bryp4t
bubird
bv4
bytebufevr
c0onje
c6lipboady
cam.flcase
canavs
ccooie
cd5
chal
changcase
chartzj
chokdazr
ckfors
(Read more...)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Aaron Linskens. Read the original post at: https://blog.sonatype.com/this-week-in-malware-aug-26-22
