An active malware campaign is targeting the Python Package Index (PyPI) and npm repositories for Python and JavaScript with typosquatted and fake modules that deploy a ransomware strain, marking the latest security issue to affect software supply chains.
The typosquatted Python packages all impersonate the popular requests library: dequests, fequests, gequests, rdquests, reauests, reduests, reeuests, reqhests, reqkests, requesfs, requesta, requeste, requestw, requfsts, resuests, rewuests, rfquests, rrquests, rwquests, telnservrr, and tequests.
According to Phylum, the rogue packages embed source code that retrieves Golang-based ransomware binary from a remote server depending on the victim’s operating system and microarchitecture.
Successful execution causes the victim’s desktop background to be changed to an actor-controlled image that claims to the U.S. Central Intelligence Agency (CIA). It’s also designed to encrypt files and demand a $100 ransom in cryptocurrency.
In a sign that the attack is not limited to PyPI, the adversary has been spotted publishing five different modules in npm: discordallintsbot, discordselfbot16, discord-all-intents-bot, discors.jd, and telnservrr.
“The attacker has also published several npm packages that behave in a similar manner,” Phylum CTO Louis Lang said, adding each of the libraries contain the JavaScript equivalent of the same code to deploy the ransomware.
The findings come as ReversingLabs uncovered a tranche of 10 additional PyPI packages pushing modified versions of the W4SP Stealer malware as part of an ongoing supply chain attack aimed at software developers that’s believed to have started around September 25, 2022.
That’s not all. Earlier this month, Israel-based software supply chain security firm Legit Security demonstrated a new attack technique against a Rust repository (“rust-lang”) that abuses GitHub Actions to poison legitimate artifacts.
Build artifacts are the files created by the build process, such as distribution packages, WAR files, logs, and reports. By replacing the actual modules with trojanized versions, an actor could steal sensitive information or deliver additional payloads to all its downstream users.
“The vulnerability was found in a workflow called ‘ci.yml’ which is responsible for building and testing the repository’s code,” Legit Security researcher Noam Dotan said in a technical write-up.
By exploiting this weakness, an attacker could trick the GitHub workflow into executing a malware-laced artifact, effectively making it possible to tamper with repository branches, pull requests, issues, and releases.
The maintainers of the Rust programming language addressed the issue on September 26, 2022, following responsible disclosure on September 15, 2022.
Leave a Reply