A malicious package deal found on the Python Package Index (PyPI) has been discovered using a steganographic trick to hide malicious code inside picture information.
The package deal in query, named “apicolor,” was uploaded to the Python third-party repository on October 31, 2022, and described as a “Core lib for REST API,” in response to Israeli cybersecurity agency Check Point. It has since been taken down.
Apicolor, like different rogue packages detected just lately, harbors its malicious habits within the setup script used to specify metadata related to the package deal, reminiscent of its dependencies.
This takes the type of a second package deal referred to as “judyb” in addition to a seemingly innocent PNG file (“8F4D2uF.png”) hosted on Imgur, an image-sharing service.
“The judyb code turned out to be a steganography module, accountable [for] hiding and revealing hidden messages inside photos,” Check Point defined.
The assault chain entails utilizing the judyb package deal to extract obfuscated Python code embedded throughout the downloaded picture, which, upon decoding, is designed to retrieve and execute a malicious binary from a distant server.
The growth is a part of an ongoing pattern the place risk actors are more and more setting their sights on the open supply ecosystem to use the belief related to third-party software program to mount provide chain assaults.
Even extra troublingly, such malicious libraries could be integrated into different open supply tasks and revealed on GitHub, successfully broadening the scope and scale of the assaults.
“These findings replicate cautious planning and thought by a risk actor, who proves that obfuscation strategies on PyPI have advanced,” the corporate stated.