https://www.fortinet.com/blog/threat-research/analyzing-malicious-intent-in-python-code
Cybersecurity researchers have discovered malicious packages uploaded to the Python Package Index (PyPI) and the Visual Studio Code Marketplace. These packages, disguised as legitimate tools for cryptocurrency development and productivity, were designed to steal sensitive information from developers’ systems.
The malicious PyPI packages, named “zebo” and “cometlogger,” were downloaded hundreds of times before being removed. These packages contained code to steal keystrokes, capture screenshots, and exfiltrate sensitive data, including credentials from popular platforms like Discord, Steam, and Instagram.
Similarly, researchers identified malicious VSCode extensions that targeted cryptocurrency developers and Zoom users. These extensions, often with names resembling legitimate tools, downloaded and executed malicious payloads.
Typosquatting and Fake Reviews
Attackers employed typosquatting techniques, creating packages with names that closely resembled legitimate ones, such as “@typescript_eslinter/eslint” instead of “typescript-eslint.” They also inflated download numbers and used fake reviews to make these malicious packages appear more trustworthy.
Impact and Recommendations:
This incident highlights the growing threat of supply chain attacks targeting software development ecosystems. Developers are urged to exercise extreme caution when downloading and installing packages from online repositories.
Key recommendations include:
- Thoroughly vetting all packages before installation.
- Checking the source and reputation of the developer.
- Regularly auditing development environments for potential threats.
This incident serves as a stark reminder of the importance of maintaining a strong security posture throughout the entire software development lifecycle.