Cybersecurity researchers have discovered malicious packages in the Python Package Index (PYPI) repository.
The package in question is DiscordpyDebug, which was uploaded to Pypi on March 21, 2022. It has been downloaded 11,574 times and is still available in the open source registry. Interestingly, the package has not been updated since.
“At first glance, it looked like a simple utility aimed at developers working on Discord Bots using the discord.py library,” the Socket Research team said. “However, the package hid a fully functional remote access trojan.”
Once the package is installed, it will contact an external server (“Backstabprotection.jamesx123.Repl)[.]Includes CO”), and the ability to read and write any file based on commands received from the server, ReadFile, or WriteFile. The rat also supports the ability to execute shell commands.
In short, DiscordpyDebug is used to read sensitive data such as configuration files, tokens, and credentials, tamper with existing files, download additional payloads, and run commands to run the data.
“The code doesn’t include any persistence or privilege escalation mechanisms, but its simplicity is particularly effective,” Socke said. “Outbound HTTP polling, rather than inbound connections, allows you to bypass most firewalls and security monitoring tools, especially in uncontrolled development environments.”
The development comes as software supply chain security companies have also discovered packages over 45 npm that pretend to be legitimate libraries available in other ecosystems as a way to install and install developers. Some of the things to note are listed below –
beautifulsoup4 (beautifulsoup4 python library type scut) apache-httpclient (apache httpclient java library type scut) opentk (opentk .net library type scut) Seaborn (same bone python library type scut)
All identified packages are known to point to the same IP address despite sharing the same infrastructure, using similar obfuscated payloads, and listing different maintainers.
“The packages identified as part of this campaign contain obfuscation code designed to bypass security measures, run malicious scripts, remove sensitive data, and maintain the persistence of affected systems,” says Socket.
Source link
