A dormant package deal obtainable on the Python Package Index (PyPI) repository was up to date almost after two years to propagate an data stealer malware referred to as Nova Sentinel.
The package deal, named django-log-tracker, was first printed to PyPI in April 2022, based on software program provide chain safety agency Phylum, which detected an anomalous replace to the library on February 21, 2024.
While the linked GitHub repository hasn’t been up to date since April 10, 2022, the introduction of a malicious replace suggests a possible compromise of the PyPI account belonging to the developer.
Django-log-tracker has been downloaded 3,866 occasions thus far, with the rogue model (1.0.4) downloaded 107 occasions on the date it was printed. The package deal is now not obtainable for obtain from PyPI.
“In the malicious replace, the attacker stripped the package deal of most of its authentic content material, leaving solely an __init__.py and instance.py file behind,” the corporate mentioned.
The modifications, easy and self-explanatory, contain fetching an executable named “Updater_1.4.4_x64.exe” from a distant server (“45.88.180[.]54”), adopted by launching it utilizing the Python os.startfile() perform.
The binary, for its half, comes embedded with Nova Sentinel, a stealer malware that was first documented by Sekoia in November 2023 as being distributed within the type of pretend Electron apps on bogus websites providing online game downloads.
“What’s attention-grabbing about this explicit case […] is that the assault vector gave the impression to be an tried supply-chain assault through a compromised PyPI account,” Phylum mentioned.
“If this had been a extremely standard package deal, any venture with this package deal listed as a dependency with no model specified or a versatile model specified of their dependency file would have pulled the most recent, malicious model of this package deal.”