- The researchers found three malicious PyPI packages, two led Bitcoin developers and a Woocommerce store
- Two are designed to steal data, and the third to test valid credit cards
- Since then, the three have been eliminated from the repository
It was discovered that multiple open source software packages in the repository of the python package index (PyPI) are malicious, probably compromising thousands of devices, experts warned.
ReversingLabs cybersecurity researchers found two malicious packages, “Bitcoinlibdbfix” and “Bitcoinlib-Dev”, which have about 2,000 downloads.
They claim to be a solution for a legitimate Python module called “Bitcoinlib”, which contains characteristics to create and administer cryptocurrency wallets.
Wooocommerce stores also under attack
Recently, the community discussed a topic related to the way the package generates error messages.
The Crooks saw this as an opportunity, created the two malicious packages and jumped into the conversation in an attempt to distribute them. It does not seem to have worked: “The malicious content of that library was detected by the taxpayers of the package and the comments were eliminated,” said Reversinglabs.
Both libraries tried a similar attack, the researchers explained. The idea was to overwrite the legitimate command ‘CLW CLI’ with malicious code, exfiltrating confidential database files.
At the same time, Socket researchers found a third package, which does not go to Bitcoin developers, but to Woocommerce stores. In addition, this package does not even try to hide its true intentions, and instead is “openly malicious.” Despite being obvious malware, he still managed to rake 37,217 downloads.
Malware is called “Disgraya” and works as a fully automated carded script. “The malicious payload was introduced into version 7.36.9, and all subsequent versions carried the same logic of integrated attack,” said Socket.
The card is a type of cyber crime where stolen credit card information is used to make purchases or unauthorized tests if the card is still active. Since criminals often buy these details of the Dark website, who built and distributed Disgraya could have greatly benefited from it.
Through The hacker news
