Table of Contents
8 Malicious Python Libraries Found On PyPI – Remove Them As Soon As Possible
Researchers identified eight malicious Python libraries on PyPI web portal. According to the report, these packages were downloaded more than 30000 times. However, all the packages were removed from the portal after finding them containing malicious code for stealing credit cards and injecting code. Let’s see more about these malicious Python Libraries.
We have been told several times, supply chain attacks are dramatically increasing these days. Because supply chain attacks are hard to identify and easy to compromise, this is quite obvious. People trust the vendor sites to download the packages and install them on their resources, assuming they are secure. To the sad, sometimes attackers succeed in hosting infected packages on the Vendor sites to launch the attack on the customers. This development in the cyber world made people no surprise even if their network gets infected from a genuine source.
What Is PyPI?
PyPI is the official third-party package repository for Python on which millions of Python packages are available for download. It is also called Python Package Index.
List Of Malicious Python Libraries Found On PyPI:
Lint of Malicious Python Libraries are listed below:
Package name | Maintainer | Payload |
---|---|---|
noblesse | xin1111 | Discord token stealer, Credit card stealer (Windows-based) |
genesisbot | xin1111 | Same as noblesse |
are | xin1111 | Same as noblesse |
suffer | suffer | Same as noblesse , obfuscated by PyArmor |
noblesse2 | suffer | Same as noblesse |
noblessev2 | suffer | Same as noblesse |
pytagora | leonora123 | Remote code injection |
pytagora2 | leonora123 | Same as pytagora |
What Is The Impact Of These Malicious Python Libraries?
The research found that these packages were found communicating with other malicious codes for plunder credit cards information, download other malware programs on the victim machine, steal passwords stored on the web browsers. Remote code executions, amass system information, steal discord authentication tokens to impersonate victims, injecting code, and maybe more.
What Should You Do If You Have Downloaded Any Of These Malicious Python Libraries?
Supply chain attacks are almost impossible to prevent and difficult to detect. However, we have to learn how to be safeguard from such attacks. We suggest a few things, which could help you stop these attacks and few action items to minimize the damage if you have downloaded any packages.
Precautions:
Set up an identical pre-production environment and run the security test on the newly-downloaded software or packages.
Always keep the backup up to date to restore if in case of breakdown.
Action items if you found infected:
Isolate the infected machine.
Remove the malicious Python packages from the machine.
Check the saved password in the browsers and change these compromised passwords in each respective website. Go here to see the saved passwords in edge browser: edge://settings/passwords
Check the saved card information on the browser. Cancel the card if saved. Go here to see the saved cards in Chrome: chrome://settings/payments
Run the full scan with antimalware solutions.
Restore the system if you have taken the backup.
Thanks for reading this post. Please share this post and help to secure the digital world.
You may also like these articles:
How Can You Protect Your Computer From Infected 'COA' and 'rc' NPM Packages?
How to Protect Your Private NPM Packages Being Exposed Using NPM API Timing Attack
What is Package Planting Vulnerability In NPM? How Does NPM Fix It?
How To Fix CVE-2021-22931- Missing Input Validation In Domain Names In Node.js
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.