Almost a week before, 10 malicious software packages were found that were nesting in the Python Package Index (PyPI) repository. However, they were not only ten. Recently, several more malicious PyPI Packages have come to light that has been unveiled by different firms. It’s becoming worse day by day. After the last week’s disclosure, researchers at Check Point further got their hands on Trojanized packages mimicking popular legitimate components. They contained droppers for information-stealing malware that prompted Kaspersky analysts to dig through the open source repository further. When they did so, they were led to the discovery of two more offerings, tipped as “ultrarequests” and “pyrequests” which are claimed to be the most popular packages in PyPI. Meanwhile, some researchers at Snyk published findings on Tuesday regarding a dozen malicious PyPI packages aimed at stealing Roblox & discord users’ credentials and payment info.
Offending PyPI Packages Have Been Removed That Affected Roblox & Discord users
According to the latest reports by Kyle Suero, Snyk’s lead researcher, the malware is also expected to steal Google Chrome data or pilfer passwords and bookmarks from Windows machines to spindle throughout all accounts. However, all of these offending packages have been removed from PyPI. The point that is unclear right now is we don’t know how many times they were downloaded before. For those who have installed it, the result is a W4SP Stealer infection, using which attackers can steal Discord tokens, saved cookies, and passwords from browsers in separate threads.
Attacks on code repositories have been increasing on a daily basis. According to ReversingLabs, attacks on npm and PyPI collectively spiked from 259 in 2018 to 1,010 in 2021. It is a 290% increase which is really very sad as it is affecting millions. Tomislav Peričin, co-founder and chief software architect at ReversingLabs stated in a recent report that:
“As long as we keep ignoring the core of the problem — which is how do you trust code — we are not handling software supply chain security”
The good piece of info is that all malicious packages have been removed with a tag named Malicious. However, those who have already downloaded it will have to suffer.