A new malicious campaign has been found on the Python Package Index (PyPI) open-source repository involving 24 malicious packages that closely imitate three popular open-source tools: vConnector, eth-tester and databases.
The campaign, dubbed VMConnect, was uncovered by ReversingLabs and started around July 28, 2023, with the continuous posting of new malicious PyPI packages daily. The attackers displayed a more sophisticated approach compared to previous supply chain attacks.
According to a report published by ReversingLabs on Thursday, the actors created corresponding GitHub repositories, complete with legitimate-looking descriptions and linked source code, to make their packages appear trustworthy. However, the malicious behavior was omitted from the GitHub repository.
“The malicious functionality is not present within the source code. It is only by scanning the artifacts used in the build process that this threat would have been detected,” the security firm wrote.
In fact, ReversingLabs said its Titanium Platform detected the suspicious package during routine scanning. Detailed package analysis revealed malicious behavior, including contacting a command and control (C2) server to download additional malicious code. Notably, while the C2 server was live, no commands were observed during the research period.
“[This] could indicate that the malicious actors were not actively using the infrastructure, or that the compromised endpoints we controlled were not of interest to them,” reads the report.
Additionally, these malicious packages were promptly removed from PyPI, likely due to internal system detections or external reports. However, the attackers quickly replaced the packages, indicating a well-organized and ongoing campaign.
Despite the extensive analysis, several key questions still need to be answered, ReversingLabs wrote.
“Lacking any visibility into the later stages of this campaign, it is impossible to know what its ultimate purpose was: theft of sensitive data or intellectual property? Surveillance? Ransomware? All of the above?” More data that reveals the full breadth of this campaign is needed before we can speculate on its intent.”
In the meantime, the company has published indicators of compromise (IOCs) in the hope that others may connect them to known attacks and threat actors, shedding light on the campaign’s origins and intent.