Watch out for those Python packages

Reticulated python. © Mark Kostich/iStock.

Phylum, the security company, recently discovered more than 450 malicious packages uploaded to PyPI (Python Package Index), the official code repository for the Python programming language. The packages almost always contained the same malicious code and were sent in rapid succession. Once installed, the packages create a malicious JavaScript extension that loads each time a browser is opened on the infected device. This malware monitors the infected developer’s clipboard for any cryptocurrency address that might be lurking, then replaces it with the attacker’s address. Malicious packages have been identified on repositories before, but their number seems to be growing and attackers are doubling their ingenuity to ensnare inattentive developers. A tip: before downloading a package, double-check that it’s calling the right one, at least until the package repositories implement ways to prevent distributing malicious code as easily as by exploiting a typo in a package name.

⇨ Ars Technica, Dan Goodin, “Latest attack on PyPI users shows crooks are only getting better.”

2023-02-14