The Python Package Index (PyPI) repository temporarily suspended new user sign-ups due to an influx of malicious projects uploaded as part of a typosquatting campaign.
PyPI announced that “new project creation and new user registration” were halted to address a “malware upload campaign.” The incident was resolved 10 hours later at 12:56 p.m. UTC on March 28, 2024.
Checkmarx, a software supply chain security firm, revealed that threat actors flooded the repository with typosquatted versions of popular packages to target developers.
The attackers aimed to steal crypto wallets, sensitive browser data, and credentials through a multi-stage attack. The malicious payload also included a persistence mechanism for surviving reboots, as highlighted by researchers Yehuda Gelb, Jossef Harush Kadouri, and Tzachi Zornstain in their report.
Mend.io independently verified the findings, detecting over 100 malicious packages targeting machine learning libraries like Pytorch, Matplotlib, and Selenium, as reported.
As open-source repositories become an increasing target for threat actors, the danger of software supply chain attacks rises. Typosquatting is a known attack tactic where adversaries upload packages with names similar to legitimate ones to deceive users.
Over 500 deceptive variants were identified, starting from March 26, 2024, and uploaded from a single account, indicating automation in the process, as noted by Check Point.
The cybersecurity company emphasized how the decentralized nature of the uploads complicates efforts to combat these malicious entries in its statement.
Phylum, a cybersecurity firm tracking the campaign, identified various malicious package variations released by the attackers.
- 67 variations of requirements
- 38 variations of Matplotlib
- 36 variations of requests
- 35 variations of colorama
- 29 variations of tensorflow
- 28 variations of selenium
- 26 variations of BeautifulSoup
- 26 variations of PyTorch
- 20 variations of pillow
- 15 variations of asyncio
These packages targeted Windows users, downloading and executing an obfuscated payload from an actor-controlled domain (“funcaptcha[.]ru”).
The malware operated as a data stealer, extracting files, Discord tokens, browser data, and cryptocurrency wallet information to a server. It also attempted to establish persistence by downloading a Python script (“hvnc.py”) to the Windows Startup folder.
This incident underscores the need for developers to thoroughly vet third-party components to protect against potential threats in software supply chain attacks.
This is not the first time PyPI has taken such measures, as it had to discontinue user sign-ups in May 2023 due to an overwhelming number of malicious users and projects. A similar suspension occurred on December 27, 2023, and was lifted on January 2, 2024.
