Among the flagged packages were several Python packages published on PyPI, masquerading as legitimate libraries named after the popular npm “colors” library.
The malicious packages, including names such as “broke-rcl,” “brokescolors,” and “trexcolors,” exclusively targeted the Windows operating system. Once installed, these packages would initiate the download and execution of a trojan hosted on Discord’s servers.
Sonatype promptly reported these findings to PyPI, resulting in the removal of the malicious packages and the associated user account.
Another malicious package, “trexcolors,” which was also named after the npm “colors” library, was discovered to download and execute a trojan known as “trex.exe” upon installation.
This trojan, detected by VirusTotal, functions as an information stealer and incorporates evasion techniques to impede analysis and reverse engineering efforts.
Cross-platform malware: Libiobe
In addition to the aforementioned packages, Sonatype identified a PyPI package named “libiobe,” likely inspired by the legitimate library “iobes.”
Unlike the Windows-specific packages, “libiobe” targeted both Windows and Unix operating systems.
On Windows, the package deployed a trojan-infected executable, named “V0d220823bb829d3fcc62d10adf.exe,” which was concealed within the source code as a base64-encoded string.
Conversely, on Linux/Unix systems, a minified Python code, also base64-encoded, executed and sent system fingerprinting data to a Telegram endpoint.
Obfuscated code: FNBOT2, TAGADAY, and ZUPPA
In addition to the PyPI and npm packages imitating the “colors” library, Sonatype’s analysis unveiled obfuscated code in packages named FNBOT2, TAGADAY, and ZUPPA.
These packages employed a similar pattern observed in previous instances of cryptominer attacks, utilising six variables named magic, love, god, destiny, joy, and trust.
The obfuscation technique employed is commonly facilitated by online tools, such as the one provided by development-tools.net.
Sonatype’s discovery of these malicious packages highlights the persistent threats faced by open-source software registries like PyPI and npm. Although the identified packages may not introduce novel payloads or tactics, they serve as a reminder of the ongoing attempts by malicious actors to exploit vulnerabilities in open-source ecosystems.
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The event is co-located with Digital Transformation Week.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.