Latest attack on PyPI users shows crooks are only getting better

NOT THE PYPI PACKAGE YOU’RE LOOKING FOR —

The code found in the malicious packages closely resembled legit offerings.


A skull and crossbones on a computer screen are surrounded by ones and zeroes.

More than 400 malicious packages were recently uploaded to PyPI (Python Package Index), the official code repository for the Python programming language, in the latest indication that the targeting of software developers using this form of attack isn’t a passing fad.

All 451 packages found recently by security firm Phylum contained almost identical malicious payloads and were uploaded in bursts that came in quick succession. Once installed, the packages create a malicious JavaScript extension that loads each time a browser is opened on the infected device, a trick that gives the malware persistence over reboots.

The JavaScript monitors the infected developer’s clipboard for any cryptocurrency addresses that may be copied to it. When an address is found, the malware replaces it with an address belonging to the attacker. The objective: intercept payments the developer intended to make to a different party.

In November, Phylum identified dozens of packages, downloaded hundreds of times, that used highly encoded JavaScript to surreptitiously do the same thing. Specifically, it:

  • Created a textarea on the page
  • Pasted any clipboard contents to it
  • Used a series of regular expressions to search for common cryptocurrency address formats
  • Replaced any identified addresses with the attacker-controlled addresses in the previously created textarea
  • Copied the textarea to the clipboard

“If at any point a compromised developer copies a wallet address, the malicious package will replace the address with an attacker-controlled address,” Phylum Chief Technical Officer Louis Lang wrote in the November post. “This surreptitious find/replace will cause the end user to inadvertently send their funds to the attacker.”

New obfuscation method

Besides vastly increasing the number of malicious packages uploaded, the latest campaign also uses a significantly different way to cover its tracks. Whereas the packages disclosed in November used encoding to conceal the behavior of the JavaScript, the new packages write function and variable identifiers in what appear to be random 16-bit combinations of Chinese language ideographs found in the following table:

Unicode code pointIdeographDefinition
0x4ebaman; people; mankind; someone else
0x5200knife; old coin; measure
0x53e3mouth; open end; entrance, gate
0x5973woman, girl; feminine
0x5b50child; fruit, seed of
0x5c71mountain, hill, peak
0x65e5sun; day; daytime
0x6708moon; month
0x6728tree; wood, lumber; wooden
0x6c34water, liquid, lotion, juice
0x76eeeye; look, see; division, topic
0x99achorse; surname
0x9a6chorse; surname
0x9ce5bird
0x9e1fbird

Using this table, the line of code

''.join(map(getattr(__builtins__, oct.__str__()[-3 << 0] + hex.__str__()[-1 << 2] + copyright.__str__()[4 << 0]), [(((1 << 4) - 1) << 3) - 1, ((((3 << 2) + 1)) << 3) + 1, (7 << 4) - (1 << 1), ((((3 << 2) + 1)) << 2) - 1, (((3 << 3) + 1) << 1)]))

creates the built-in function chr and maps the function to the list of integers [119, 105, 110, 51, 50]. Then the line combines it into a string that ultimately creates 'win32'.

Phylum researchers explained:

We can see a series of these kinds of calls oct.__str__()[-3 << 0]. The [-3 << 0] evaluates to [-3] and oct.__str__() evaluates to the string ''. Using Python’s index operator [] on a string with a -3 will grab the 3rd character from the end of the string, in this case ''[-3] will evaluate to 'c'. Continuing with this on the other 2 here gives us 'c' + 'h' + 'r' and simply evaluating the complex bitwise arithmetic tacked on to the end leaves us with:

''.join(map(getattr(__builtins__, 'c' + 'h' + 'r'), [119, 105, 110, 51, 50]))

The getattr(__builtins__, 'c' + 'h' + 'r') just gives us the built-in function chr and then it maps chr to the list of ints [119, 105, 110, 51, 50] and then joins it all together into a string ultimately giving us 'win32'. This technique is continued throughout the entirety of the code.

While giving the appearance of highly obfuscated code, the technique is ultimately easy to defeat, the researchers said, simply by observing what the code does when it runs.

The latest batch of malicious packages attempts to capitalize on typos developers make when downloading one of these legitimate packages:

  • bitcoinlib
  • ccxt
  • cryptocompare
  • cryptofeed
  • freqtrade
  • selenium
  • solana
  • vyper
  • websockets
  • yfinance
  • pandas
  • matplotlib
  • aiohttp
  • beautifulsoup
  • tensorflow
  • selenium
  • scrapy
  • colorama
  • scikit-learn
  • pytorch
  • pygame
  • pyinstaller

Packages that target the legitimate vyper package, for instance, used 13 file names that omitted or duplicated a single character or transposed two characters of the correct name:

  • yper
  • vper
  • vyer
  • vype
  • vvyper
  • vyyper
  • vypper
  • vypeer
  • vyperr
  • yvper
  • vpyer
  • vyepr
  • vypre

“This technique is trivially easy to automate with a script (we leave this as an exercise for the reader), and as the length of the name of the legitimate package increases, so do the possible typosquats,” the researchers wrote. “For example, our system detected 38 typosquats of the cryptocompare package published nearly simultaneously by the user named pinigin.9494.”

The availability of malicious packages in legitimate code repositories that closely resemble the names of legitimate packages dates back to at least 2016 when a college student uploaded 214 booby-trapped packages to the PyPI, RubyGems, and NPM repositories that contained slightly modified names of legitimate packages. The result: The imposter code was executed more than 45,000 times on more than 17,000 separate domains, and more than half were given all-powerful administrative rights. So-called typosquatting attacks have flourished ever since.

The names of all 451 malicious packages the Phylum researchers found are included in the blog post. It’s not a bad idea for anyone who intended to download one of the legitimate packages targeted to double-check that they didn’t inadvertently obtain a malicious doppelganger.

Read More
Dan Goodin

Latest

NASA Webb Uncovers Unusual Galaxy Shaped by Cosmic Collision

Science & Nature In new images from NASA’s James...

Researchers in Switzerland invent a new type of pixel

Science & Nature Pixels either control light or analyze...

Farewell, atom-smashing Large Hadron Collider

Science & Nature After 18 years of discovery, it's...

Why humans find fire so mesmerizing

Science & Nature It's not just cozy vibes. We're...

Newsletter

Don't miss

NASA Webb Uncovers Unusual Galaxy Shaped by Cosmic Collision

Science & Nature In new images from NASA’s James...

Researchers in Switzerland invent a new type of pixel

Science & Nature Pixels either control light or analyze...

Farewell, atom-smashing Large Hadron Collider

Science & Nature After 18 years of discovery, it's...

Why humans find fire so mesmerizing

Science & Nature It's not just cozy vibes. We're...

Business seminar in Munich highlights Hong Kong’s strategic roles amidst global shifts (with photos)

Business seminar in Munich highlights Hong Kong's strategic roles amidst global shifts (with photos) ******************************************************************************************      The Hong Kong Economic and Trade Office, Berlin (HKETO Berlin), promoted Hong Kong's unique advantages and strategic roles at the seminar "Hong Kong's strategic role amidst geopolitical tensions" on June 18 (Munich time) in Munich, Germany.             Senior executives, investors

AI for business services: From job fears to productivity

AI for business services: From job fears to productivity

Business Insurance-AZ Achieves Record Response Times for 2026 Arizona Construction Bids

Business Insurance-AZ achieves milestone response speeds for commercial construction bids across Arizona, accelerating documentation delivery to keep local projects moving forward without delay. Phoenix, AZ, June 06-2026, ZEX PR WIRE — Business Insurance-AZ has achieved record-breaking processing speeds and response times for commercial construction bids throughout Arizona, directly supporting the state’s massive infrastructure and advanced manufacturing boom