AdminThreat actors use typosquatting to attack Python programmers (opens in a new tab) with malware, researchers say.
Experts at Spectralops.io recently analyzed PyPI, a software repository for Python developers, and found ten malicious packages on the platform. All of these have been given names that are almost identical to those of legitimate packages to trick developers into downloading and adopting the contaminated packages.
This type of attack is called typosquatting and is a common phenomenon among cybercriminals. It’s not only used in code repositories (although we’ve seen a lot of cases on GitHub in the past), but also in phishing emails, fake websites, and identity theft.
Thousands of developers at risk
If victims accept these packages, they will hand over the keys to their kingdoms to cyber criminals, given that malware can steal private data as well as steal developers’ credentials. The attackers then sent the data to a third party, and the victims never knew what had happened. As of today, as Spectralops reminds us, PyPi has over 600,000 active users, suggesting that the threat landscape is quite large.
“These attacks are based on the fact that the Python installation process can contain arbitrary pieces of code into which malicious players can insert their malicious code,” explained Ori Abramovsky, data science manager at Spectralops.io. “We found this with machine learning models that analyze the code in these packages and automatically warn you about malware.”
Here is the complete list of affected packages:
- Ascii2text
- Pyg-utils, Pymocks, and PyProto2
- Test-async
- Free VPN and Free VPN2
- Zlibsrc
- Browseradiv,
- WINRPCExpoit
Researchers contacted PyPI, which removed malicious packages from its repository shortly thereafter. Even so, developers who downloaded them in the past are still at risk and should refresh their passwords and other login credentials just in case.
“The most important thing is how common these malicious packages are,” Abramovsky continued. “They are simple but dangerous. Personally, when I encountered this type of attack, I started double-checking every Python package I use. Sometimes I even download it and manually watch its code before installing it. “
