Malicious Python Package Threat Steals User Data

A new cybersecurity threat has emerged, as a malicious Python package on the Python Package Index (PyPI) has been found to employ a sneaky tactic to evade detection and deploy malware. 

The package, named onyxproxy, was uploaded on March 15, 2023, and can harvest and steal sensitive data. Although it has since been removed from the PyPI repository, it had already attracted 183 downloads.

According to software supply chain security firm Phylum, the package incorporates a setup script packed with thousands of seemingly legitimate code strings.

These strings appear as a mix of bold and italic fonts. They can be parsed by the Python interpreter, only to activate the execution of the stealer malware upon installation of the package.

The trick the malicious package uses to evade detection is Unicode variants of the same character, also known as homoglyphs. These are used to camouflage the true nature of the code among innocuous-looking functions and variables, making it difficult to detect. 

Cybersecurity researchers have previously disclosed the use of Unicode to inject vulnerabilities into source code.

The development highlights the ongoing efforts of threat actors to find new ways to slip through string-matching-based defenses. In this case, leveraging “how the Python interpreter handles Unicode to obfuscate their malware.” 

It is concerning that these malicious packages have already been downloaded numerous times, indicating the need for increased vigilance among users and security experts.

In a related discovery, Canadian cybersecurity company PyUp has uncovered three fraudulent Python packages – aiotoolbox, asyncio-proxy, and pycolorz – that have been downloaded over 1,000 times.

These packages are designed to retrieve obfuscated code from a remote server, highlighting the need for constant vigilance against new and emerging cybersecurity threats.

None of the information on this website is investment or financial advice and does not necessarily reflect the views of CryptoMode or the author. CryptoMode is not responsible for any financial losses sustained by acting on information provided on this website by its authors or clients. Always conduct your research before making financial commitments, especially with third-party reviews, presales, and other opportunities.

JP Buntinx

JP Buntinx has been writing about cryptocurrency since 2012. His interest in crypto, blockchain, fintech, and finance allows him to cover a broad range of different topics.

Published by
JP Buntinx

Recent Posts

Avalanche Price Continues To Slump As BEN Shoots Up In Value; What Does It Mean For Caged Beasts

The cryptocurrency market is always full of surprises, and the recent developments in Avalanche (AVAX)…

15 mins ago

Could DogeMiyagi Be A DeFi Sensei Like Solana And Aave?

The decentralised finance (DeFi) space has only continued to surge. Numerous projects have emerged, each…

15 mins ago

Moon-Bound Sparklo (SPRK) Maintain Upward Surge as Ethereum Classic (ETC) and Cosmos (ATOM) Prices Dip

While the crypto market is swaying in volatility, Sparklo has set its sail in a…

15 mins ago

Demands For Ethereum Self-Custody Wallet Reach ATH, Traders Can Self-Custody With Tradecurve

With investor confidence at an all-time low, the demands for an Ethereum self-custody wallet have…

16 mins ago

Nigerian Crypto Gift Card Services Patricia Temporarily Suspends Withdrawals

In response to a significant security breach, Patricia, a renowned Nigerian gift card and cryptocurrency…

46 mins ago

EOS (EOS) and Cosmos (ATOM) leave holders disappointed; Here’s why Collateral Network (COLT) is set to surpass both

EOS (EOS) and Cosmos (ATOM) have performed poorly in recent times, leaving investors disappointed. On…

1 hour ago