A recent report by Sonatype security researcher Ax Sharma highlights newly discovered malicious packages on the PyPI registry, including aptx
, which can install the Meterpreter trojan disguised as pip, delete the netstat
system utility, and tamper with SSH authorized_keys
file.
Named after the popular audio codec developed by Qualcomm and used in many Bluetooth devices, aptx
is not the only new threat identified on PyPI. Other malicious packages are httops
and tkint3rs
. What they all have in common is a strategy aiming to confuse people using purposely-crafted names. As Sharma observes, indeed, httops
and tkint3rs
are misspellings of https and the tkinter
Python interface, respectively.
On close inspection, Sonatype engineers found out that aptx
has a setup.py
manifest that is able to create an ELF binary named ./pip/pip
. The binary contains a Meterpreter trojan generated using Metasploit, a penetration testing tool, and allows an attacker to gain shell access to the infected machine. To make it harder for a sysadmin to track active connections, setup.py
also deletes netstat
.
In their January 2023 Malware Monthly, Sonatype researchers unveil details about dozen of others malicious packages found in PyPI and hundreds of new malicious packages in the npm registry.
A few of them show novel attack strategies, such as detecting whether the host where the malware is running is a virtual machine or sandbox environment. In those cases, the malware exits immediately as a way to prevent a security researchers, who will likely install the package in a VM or sandbox, from discovering it.
Another new tactic employed by recent malware is exemplified by "RAT (remote access trojan) mutants", which use multiple-stage polymorphic payloads that change every time you run the binary to evade detection. In a number of cases, those RAT mutants combined the capabilities of remote access trojans and information stealers to access clipboard data or wallet information.
In npm case, Sonatype identified packages that while not being an immediate threat should be considered malicious. Specifically, more than 33k packages were published under the scope of “infinitebrahmanuniverse” and using the “nolb-” prefix, with the only apparent aim of creating a dependency on any other npm package. According to Sonatype, this brings the "dependency hell" problem entirely to another level. Indeed, an attacker could create a malicious package depending on some of those nolb-
packages to execute a denial of service attack against a company's download channel and consume excessive resources.
As a final note from the Malware Monthly, another trend that has been gaining force recently is that of cryptominers, that is, trojans that have no other intent than using your computational power to mine cryptocurrency and earn money.