Cybersecurity researchers have warned of a new malicious Python package, named pytoileur, discovered in the Python Package Index (PyPI) repository. The package has been downloaded 316 times and is associated with cryptocurrency theft. The author, known as PhilipsPY, uploaded a new version (1.0.2) after the previous version (1.0.1) was removed by PyPI maintainers on May 28, 2024.
An analysis by Sonatype revealed that the package contains malicious code in its setup.py script, allowing it to execute a Base64-encoded payload to retrieve a Windows binary from an external server. This binary, ‘Runtime.exe,’ is then executed using Windows PowerShell and VBScript commands.
The installed binary establishes persistence and deploys spyware and a data-stealing malware capable of extracting information from web browsers and cryptocurrency services.
In addition, Sonatype identified a StackOverflow account named “EstAYA G” promoting the malicious pytoileur package as a solution to users’ queries.
Further investigation into the package metadata and authorship history uncovered connections to previous campaigns involving fake Python packages like Pystob and Pywool.
This incident highlights the vulnerability of open-source ecosystems to supply chain attacks involving malware propagation through legitimate platforms like PyPI.
