{"id":608278,"date":"2023-02-15T07:49:11","date_gmt":"2023-02-15T13:49:11","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/02\/15\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\/"},"modified":"2023-02-15T07:49:11","modified_gmt":"2023-02-15T13:49:11","slug":"latest-attack-on-pypi-users-shows-crooks-are-only-getting-better","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/02\/15\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\/","title":{"rendered":"Latest attack on PyPI users shows crooks are only getting better"},"content":{"rendered":"<div>\n<header>\n<h4>\n      NOT THE PYPI PACKAGE YOU&#8217;RE LOOKING FOR    \u2014<br \/>\n<\/h4>\n<h2 itemprop=\"description\">The code found in the malicious packages closely resembled legit offerings.<\/h2>\n<section>\n<p itemprop=\"author creator\" itemscope itemtype=\"http:\/\/schema.org\/Person\">\n      <a itemprop=\"url\" href=\"https:\/\/arstechnica.com\/author\/dan-goodin\/\" rel=\"author\"><span itemprop=\"name\">Dan Goodin<\/span><\/a><br \/>\n    &#8211;  <time data-time=\"1676417872\" datetime=\"2023-02-14T23:37:52+00:00\">Feb 14, 2023 11:37 pm UTC<\/time>\n<\/p>\n<\/section>\n<\/header>\n<div itemprop=\"articleBody\">\n<figure>\n  <img decoding=\"async\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2022\/03\/skull-ones-zeros-cROPPED-800x464.jpeg\" alt=\"A skull and crossbones on a computer screen are surrounded by ones and zeroes.\"><figcaption><\/figcaption><\/figure>\n<p>More than 400 malicious packages were recently uploaded to PyPI (Python Package Index), the official code repository for the Python programming language, in the latest indication that the targeting of software developers using this form of attack isn\u2019t a passing fad.<\/p>\n<p>All 451 packages <a href=\"https:\/\/blog.phylum.io\/phylum-discovers-revived-crypto-wallet-address-replacement-attack\">found recently<\/a> by security firm Phylum contained almost identical malicious payloads and were uploaded in bursts that came in quick succession. Once installed, the packages create a malicious JavaScript extension that loads each time a browser is opened on the infected device, a trick that gives the malware persistence over reboots.<\/p>\n<p>The JavaScript monitors the infected developer\u2019s clipboard for any cryptocurrency addresses that may be copied to it. When an address is found, the malware replaces it with an address belonging to the attacker. The objective: intercept payments the developer intended to make to a different party.<\/p>\n<p>In November, Phylum <a href=\"https:\/\/blog.phylum.io\/pypi-malware-replaces-crypto-addresses-in-developers-clipboard\">identified dozens<\/a> of packages, downloaded hundreds of times, that used highly encoded JavaScript to surreptitiously do the same thing. Specifically, it:<\/p>\n<ul>\n<li aria-level=\"1\">Created a textarea on the page<\/li>\n<li aria-level=\"1\">Pasted any clipboard contents to it<\/li>\n<li aria-level=\"1\">Used a series of regular expressions to search for common cryptocurrency address formats<\/li>\n<li aria-level=\"1\">Replaced any identified addresses with the attacker-controlled addresses in the previously created textarea<\/li>\n<li aria-level=\"1\">Copied the textarea to the clipboard<\/li>\n<\/ul>\n<p>\u201cIf at any point a compromised developer copies a wallet address, the malicious package will replace the address with an attacker-controlled address,\u201d Phylum Chief Technical Officer Louis Lang wrote in the November post. \u201cThis surreptitious find\/replace will cause the end user to inadvertently send their funds to the attacker.\u201d<\/p>\n<h2>New obfuscation method<\/h2>\n<p>Besides vastly increasing the number of malicious packages uploaded, the latest campaign also uses a significantly different way to cover its tracks. Whereas the packages disclosed in November used encoding to conceal the behavior of the JavaScript, the new packages write function and variable identifiers in what appear to be random 16-bit combinations of Chinese language ideographs found in the following table:<\/p>\n<table readabilityDataTable=\"1\">\n<thead>\n<tr>\n<th>Unicode code point<\/th>\n<th>Ideograph<\/th>\n<th>Definition<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>0x4eba<\/td>\n<td>\u4eba<\/td>\n<td>man; people; mankind; someone else<\/td>\n<\/tr>\n<tr>\n<td>0x5200<\/td>\n<td>\u5200<\/td>\n<td>knife; old coin; measure<\/td>\n<\/tr>\n<tr>\n<td>0x53e3<\/td>\n<td>\u53e3<\/td>\n<td>mouth; open end; entrance, gate<\/td>\n<\/tr>\n<tr>\n<td>0x5973<\/td>\n<td>\u5973<\/td>\n<td>woman, girl; feminine<\/td>\n<\/tr>\n<tr>\n<td>0x5b50<\/td>\n<td>\u5b50<\/td>\n<td>child; fruit, seed of<\/td>\n<\/tr>\n<tr>\n<td>0x5c71<\/td>\n<td>\u5c71<\/td>\n<td>mountain, hill, peak<\/td>\n<\/tr>\n<tr>\n<td>0x65e5<\/td>\n<td>\u65e5<\/td>\n<td>sun; day; daytime<\/td>\n<\/tr>\n<tr>\n<td>0x6708<\/td>\n<td>\u6708<\/td>\n<td>moon; month<\/td>\n<\/tr>\n<tr>\n<td>0x6728<\/td>\n<td>\u6728<\/td>\n<td>tree; wood, lumber; wooden<\/td>\n<\/tr>\n<tr>\n<td>0x6c34<\/td>\n<td>\u6c34<\/td>\n<td>water, liquid, lotion, juice<\/td>\n<\/tr>\n<tr>\n<td>0x76ee<\/td>\n<td>\u76ee<\/td>\n<td>eye; look, see; division, topic<\/td>\n<\/tr>\n<tr>\n<td>0x99ac<\/td>\n<td>\u99ac<\/td>\n<td>horse; surname<\/td>\n<\/tr>\n<tr>\n<td>0x9a6c<\/td>\n<td>\u9a6c<\/td>\n<td>horse; surname<\/td>\n<\/tr>\n<tr>\n<td>0x9ce5<\/td>\n<td>\u9ce5<\/td>\n<td>bird<\/td>\n<\/tr>\n<tr>\n<td>0x9e1f<\/td>\n<td>\u9e1f<\/td>\n<td>bird<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Using this table, the line of code<\/p>\n<pre><code>''.join(map(getattr(__builtins__, oct.__str__()[-3 << 0] + hex.__str__()[-1 << 2] + copyright.__str__()[4 << 0]), [(((1 << 4) - 1) << 3) - 1, ((((3 << 2) + 1)) << 3) + 1, (7 << 4) - (1 << 1), ((((3 << 2) + 1)) << 2) - 1, (((3 << 3) + 1) << 1)]))\n<\/code><\/pre>\n<p>creates the built-in function <code>chr<\/code> and maps the function to the list of integers <code>[119, 105, 110, 51, 50]<\/code>. Then the line combines it into a string that ultimately creates <code>'win32'<\/code>.<\/p>\n<p>Phylum researchers explained:<\/p>\n<blockquote>\n<p>We can see a series of these kinds of calls <code>oct.__str__()[-3 << 0]<\/code>. The <code>[-3 << 0]<\/code> evaluates to <code>[-3]<\/code> and <code>oct.__str__()<\/code> evaluates to the string <code>'<built-in function oct>'<\/code>. Using Python\u2019s index operator <code>[]<\/code> on a string with a <code>-3<\/code> will grab the 3rd character from the end of the string, in this case <code>'<built-in function oct>'[-3]<\/code> will evaluate to <code>'c'<\/code>. Continuing with this on the other 2 here gives us <code>'c' + 'h' + 'r'<\/code> and simply evaluating the complex bitwise arithmetic tacked on to the end leaves us with:<\/p>\n<pre><code>''.join(map(getattr(__builtins__, 'c' + 'h' + 'r'), [119, 105, 110, 51, 50]))<\/code><\/pre>\n<p>The <code>getattr(__builtins__, 'c' + 'h' + 'r')<\/code> just gives us the built-in function <code>chr<\/code> and then it maps <code>chr<\/code> to the list of ints <code>[119, 105, 110, 51, 50]<\/code> and then joins it all together into a string ultimately giving us <code>'win32'<\/code>. This technique is continued throughout the entirety of the code.<\/p>\n<\/blockquote>\n<p>While giving the appearance of highly obfuscated code, the technique is ultimately easy to defeat, the researchers said, simply by observing what the code does when it runs.<\/p>\n<p>The latest batch of malicious packages attempts to capitalize on typos developers make when downloading one of these legitimate packages:<\/p>\n<ul>\n<li aria-level=\"1\">bitcoinlib<\/li>\n<li aria-level=\"1\">ccxt<\/li>\n<li aria-level=\"1\">cryptocompare<\/li>\n<li aria-level=\"1\">cryptofeed<\/li>\n<li aria-level=\"1\">freqtrade<\/li>\n<li aria-level=\"1\">selenium<\/li>\n<li aria-level=\"1\">solana<\/li>\n<li aria-level=\"1\">vyper<\/li>\n<li aria-level=\"1\">websockets<\/li>\n<li aria-level=\"1\">yfinance<\/li>\n<li aria-level=\"1\">pandas<\/li>\n<li aria-level=\"1\">matplotlib<\/li>\n<li aria-level=\"1\">aiohttp<\/li>\n<li aria-level=\"1\">beautifulsoup<\/li>\n<li aria-level=\"1\">tensorflow<\/li>\n<li aria-level=\"1\">selenium<\/li>\n<li aria-level=\"1\">scrapy<\/li>\n<li aria-level=\"1\">colorama<\/li>\n<li aria-level=\"1\">scikit-learn<\/li>\n<li aria-level=\"1\">pytorch<\/li>\n<li aria-level=\"1\">pygame<\/li>\n<li aria-level=\"1\">pyinstaller<\/li>\n<\/ul>\n<p>Packages that target the legitimate vyper package, for instance, used 13 file names that omitted or duplicated a single character or transposed two characters of the correct name:<\/p>\n<ul>\n<li aria-level=\"1\">yper<\/li>\n<li aria-level=\"1\">vper<\/li>\n<li aria-level=\"1\">vyer<\/li>\n<li aria-level=\"1\">vype<\/li>\n<li aria-level=\"1\">vvyper<\/li>\n<li aria-level=\"1\">vyyper<\/li>\n<li aria-level=\"1\">vypper<\/li>\n<li aria-level=\"1\">vypeer<\/li>\n<li aria-level=\"1\">vyperr<\/li>\n<li aria-level=\"1\">yvper<\/li>\n<li aria-level=\"1\">vpyer<\/li>\n<li aria-level=\"1\">vyepr<\/li>\n<li aria-level=\"1\">vypre<\/li>\n<\/ul>\n<p>\u201cThis technique is trivially easy to automate with a script (we leave this as an exercise for the reader), and as the length of the name of the legitimate package increases, so do the possible typosquats,\u201d the researchers wrote. \u201cFor example, our system detected 38 typosquats of the <code>cryptocompare<\/code> package published nearly simultaneously by the user named <code>pinigin.9494<\/code>.\u201d<\/p>\n<p>The availability of malicious packages in legitimate code repositories that closely resemble the names of legitimate packages dates back to at least 2016 when a college student <a href=\"https:\/\/arstechnica.com\/information-technology\/2016\/06\/college-student-schools-govs-and-mils-on-perils-of-arbitrary-code-execution\/\">uploaded 214 booby-trapped packages<\/a> to the PyPI, RubyGems, and NPM repositories that contained slightly modified names of legitimate packages. The result: The imposter code was executed more than 45,000 times on more than 17,000 separate domains, and more than half were given all-powerful administrative rights. So-called typosquatting attacks <a href=\"https:\/\/arstechnica.com\/information-technology\/2021\/12\/malicious-packages-sneaked-into-npm-repository-stole-discord-tokens\/\">have<\/a> <a href=\"https:\/\/arstechnica.com\/information-technology\/2020\/04\/725-bitcoin-stealing-apps-snuck-into-ruby-repository\/\">flourished<\/a> <a href=\"https:\/\/arstechnica.com\/gadgets\/2021\/07\/malicious-pypi-packages-caught-stealing-developer-data-and-injecting-code\/\">ever<\/a> <a href=\"https:\/\/arstechnica.com\/gadgets\/2021\/06\/counterfeit-pypi-packages-with-5000-downloads-installed-cryptominers\/\">since<\/a>.\n<\/p>\n<p>The names of all 451 malicious packages the Phylum researchers found are included in <a href=\"https:\/\/blog.phylum.io\/phylum-discovers-revived-crypto-wallet-address-replacement-attack\">the blog post<\/a>. It\u2019s not a bad idea for anyone who intended to download one of the legitimate packages targeted to double-check that they didn\u2019t inadvertently obtain a malicious doppelganger.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"https:\/\/arstechnica.com\/?p=1917705\" class=\"button purchase\" rel=\"nofollow noopener\" target=\"_blank\">Read More<\/a><br \/>\n Dan Goodin<\/p>\n","protected":false},"excerpt":{"rendered":"<p>NOT THE PYPI PACKAGE YOU&#8217;RE LOOKING FOR \u2014 The code found in the malicious packages closely resembled legit offerings. Dan Goodin &#8211; Feb 14, 2023 11:37 pm UTC More than 400 malicious packages were recently uploaded to PyPI (Python Package Index), the official code repository for the Python programming language, in the latest indication that<\/p>\n","protected":false},"author":1,"featured_media":608279,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[313,518,46],"tags":[],"class_list":{"0":"post-608278","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-attack","8":"category-latest","9":"category-technology"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/608278","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=608278"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/608278\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/608279"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=608278"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=608278"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=608278"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}