Malicious Python Packages Found on PyPI Target Developers and Crypto Users

Security researchers have uncovered several malicious Python packages uploaded to the official Python Package Index (PyPI), targeting software developers and cryptocurrency users with malware.

Quick timeline of events:

• Early March 2024: Attackers begin uploading malicious Python packages to PyPI.
• March 2024: Package remains live on PyPI, being downloaded and installed by unsuspecting users.
• Late March 2024: Security researchers at Fortinet Unit 42 detect several suspicious packages.
• Early April 2024: PyPI maintainers remove the malicious packages.

The discovery was made by cybersecurity teams at Fortinet and Palo Alto Networks’ Unit 42. They identified dozens of packages designed to impersonate popular libraries like ‘requests’, ‘colorama’, and ‘urllib3’. The code found in these packages contained code that harvests sensitive data once installed, including browser credentials, crypto wallet files, and system information.

The malicious code was generally embedded in setup.py files, using obfuscation techniques and Base64-encoded payloads to avoid detection. So, even though the attacks started in March 2024, several packages remained undetected on PyPI for several weeks. The data was being exfiltrated through command-and-control servers, Discord webhooks, and Pastebin-like platforms.

According to researchers, the main goal was to maintain continuous access to compromised machines. Fortunately, the PyPI maintainers have since removed the offending packages.

This incident highlights the persistent risks facing open-source ecosystems and the growing sophistication of supply chain attacks. Developers are urged to double-check package names and use automated tools to vet third-party dependencies.

With technological advancements like AI and better hardware, hackers are just getting busier and busier, and supply chain attacks like this one are going to become more common. To protect yourself, we recommend using online security software, such as:

• Endpoint protection software/antivirus: They detect and block malicious scripts, files, and behaviors on devices.
• Supply chain security tools: They scan and monitor open-source dependencies for known vulnerabilities and suspicious behavior.
• Static and dynamic code analysis tools: They check code for malicious patterns before or during execution.

In addition to the software, we strongly suggest that you:

• Always verify package names.
• Use hash verification or signed packages.
• Inspect setup.py and source code.
• Monitor PyPI security advisories.
• Use virtual environments.
• Automate dependency scanning with tools like Dependabot, Snyk, or PyUP.
• Minimize access to sensitive data on systems used for development.

By following these best practices, you should be secure even if PyPI is targeted again in the future.