Security analysts over the years have stumbled on different spyware python packages on PyPI. PyPI, referred to as the python package index is a vast repository of open-source python packages provided by the universal body of python developers.

PyPI is the official package repository for python right now. It became a repository for source code, and it would host the source code itself. PyPI is well dependent on the Python community.

Ransomware operators take advantage of the nature of the platform. Since it is open, they upload separate malicious or hoax packages to sabotage developers’ systems.

The packages discovered by different threat analysts are:

• Ascii2text
• Pygrata 2.1.2
• Pyg-modules
• Pygrata-utils 1.0.2
• Hkg-sol-utils 0.4.0
• Loglib-modules 1.0.8
• Browserdiv

Loglib-modules

Loglib package, in particular, targets developers that may be familiar with loglib, which is a legitimate logging library; that keeps logs up-to-date on a web server. The hackers created this module name as loglib- modules 1.0.8 on Pip. The malicious package can access users’ aws keys and other confidential data.

Pyg- modules  

Pyg modules packages allow the packages to harvest AWS credentials, network interface information, and environment variables and export them to a remote endpoint. The endpoints hosting this information in the form of hundreds of TXT files were not secured by any authentication barrier, effectively permitting any party on the web to access these credentials.

Pygrata-utils

Loglib-modules and pyg-modules are trying to masquerade as the legitimate packages available on PyPI. Pygrata, fortunately, itself doesn’t have the compatibility to steal the data and other keys. It is dependent upon pygrata-utils.

Some packages either contain code that reads and exfiltrates your secrets or use one of the dependencies. 

The stolen data is stored in the shape of multiple TXT files and is transferred to the pygrata domain. It is noteworthy that packages like pygrata use the two modules as dependencies and do not harbor the code themselves. The identity of the threat actor and their motives remain unclear.

How To Prevent?

There are several things you can do to prevent these supply chain attacks. Assure that you are installing the right package, don’t just download the recently uploaded packages because most users are directly affected by this.

If you accidentally download something that has it as a dependency or a malicious library, make sure to use hash-checking mode in pip. The checking mode will let you add local hashes of known good packages to your requirement TXT files on a per-package basis.

So whenever you deploy a server and install those requirements, you’ll get the same package, that you can verify. Another program, Packj, helps to scan open source packages for suspicious source code.

Conclusion

Lastly, since PyPI is an open-source repository, the chances of supply chain attacks are always high. It has no guarantee of security while downloading from PyPI. Users must be careful while installing different packages. Usage of programs and modes is advantageous in these scenarios as these elements will help you to determine whether the following packages are legitimate or not.

Rogue Logics provides in-depth security services for the assessment and protection of your application, data, and infrastructure against potential threats on-prem or in the cloud. Want a consultation with the professionals at Rogue Logics? Contact us and get a free quote.