Cyble Research and Intelligence Labs (CRIL) have been actively monitoring Malicious Python Packages, uncovering a disturbing trend. One of their recent findings includes the discovery of an InfoStealer named KEKW, which was spreading through multiple malicious Python packages.

PyPI, known as the Python Package Index, is a popular third-party software repository for the Python programming language. However, the rise in malicious Python packages has prompted concerns among developers and security researchers.

As a result, CRIL conducted comprehensive investigations into the incident, revealing the extent of the problem and shedding light on various aspects of these malicious Python packages.

A surge in malicious Python packages

During their research, CRIL identified over 160 malicious Python packages downloaded over 45,000 times, based on statistics obtained from PePy.

Even more concerning was the month-over-month increase in downloads of these malicious packages. Fortunately, PyPI promptly removed all of these packages, preventing further infections.

To visualize the issue’s magnitude, CRIL provided a graph illustrating the distribution of the number of packages downloaded in the last three months. One noteworthy thing found during the CRIL’s investigation was uploading Python packages with intentionally misspelled names. 

Threat actors capitalized on users’ typographical errors during package installations, leading them to install malicious packages unknowingly. 

For instance, CRIL found a package named ‘reaquests’ that imitated a legitimate and widely used Python package called “requests.” Such packages put users at risk of malware infections.

CRIL also uncovered several malware variants associated with these malicious packages. These packages employed an identical downloader, collectively accumulating 1355 downloads. 

The downloader retrieves a remote script from a designated URL, obfuscated using the Hyperion Python obfuscator, known for its multi-layered obfuscation techniques.

The Creal Stealer, an open-source stealer commonly used by threat actors, was also discovered to be distributed through Python packages. These packages, downloaded over 1300 times, further highlight the dangers associated with malicious Python packages.

Propagation of EvilPIP and its Implications

CRIL’s investigation encountered a package named “Sintaxiscodigo-0.0.0-py3-none-any” with over 300 downloads.

Further analysis revealed that this package propagated EvilPIP, a malicious PyPI module. Although the specific module has been removed, its upload demonstrated the intent to infect users.

CRIL’s analysis emphasized the prevalence of InfoStealers being propagated through malicious Python packages.

The availability of code for information stealers on platforms like GitHub has enabled threat actors to leverage this type of malware in their campaigns.

To mitigate the risks posed by malicious packages, users and businesses are urged to exercise caution when installing Python packages, ensuring they are obtained from trusted sources.

Regularly updating security measures and employing reliable antivirus software can provide additional protection against these threats.

Moreover, the surge in malicious Python packages has prompted PyPI to suspend new user and project name registrations temporarily.

The investigations conducted by CRIL shed light on the scope of the problem, including the use of misspelled package names, the proliferation of new malware variants, and the adoption of obfuscation techniques by threat actors.