Malicious Python Package Threat Steals User Data

CryptoMode Python Coding

A new cybersecurity threat has emerged, as a malicious Python package on the Python Package Index (PyPI) has been found to employ a sneaky tactic to evade detection and deploy malware. 

The package, named onyxproxy, was uploaded on March 15, 2023, and can harvest and steal sensitive data. Although it has since been removed from the PyPI repository, it had already attracted 183 downloads.

According to software supply chain security firm Phylum, the package incorporates a setup script packed with thousands of seemingly legitimate code strings.

These strings appear as a mix of bold and italic fonts. They can be parsed by the Python interpreter, only to activate the execution of the stealer malware upon installation of the package.

The trick the malicious package uses to evade detection is Unicode variants of the same character, also known as homoglyphs. These are used to camouflage the true nature of the code among innocuous-looking functions and variables, making it difficult to detect. 

Cybersecurity researchers have previously disclosed the use of Unicode to inject vulnerabilities into source code.

The development highlights the ongoing efforts of threat actors to find new ways to slip through string-matching-based defenses. In this case, leveraging “how the Python interpreter handles Unicode to obfuscate their malware.” 

It is concerning that these malicious packages have already been downloaded numerous times, indicating the need for increased vigilance among users and security experts.

In a related discovery, Canadian cybersecurity company PyUp has uncovered three fraudulent Python packages – aiotoolbox, asyncio-proxy, and pycolorz – that have been downloaded over 1,000 times.

These packages are designed to retrieve obfuscated code from a remote server, highlighting the need for constant vigilance against new and emerging cybersecurity threats.

None of the information on this website is investment or financial advice and does not necessarily reflect the views of CryptoMode or the author. CryptoMode is not responsible for any financial losses sustained by acting on information provided on this website by its authors or clients. Always conduct your research before making financial commitments, especially with third-party reviews, presales, and other opportunities.