Malicious PyPI Packages Using Cloudflare Tunnels to Sneak Through Firewalls
Jan 09, 2023
Network Security / Supply Chain
In yet another campaign targeting the Python Package Index (PyPI) repository, six malicious packages have been found deploying information stealers on developer systems. The now-removed packages, which were discovered by Phylum between December 22 and December 31, 2022, include pyrologin, easytimestamp, discorder, discord-dev, style.py, and pythonstyles. The malicious code, as is increasingly the case , is concealed in the setup script (setup.py) of these libraries, meaning running a "pip install" command is enough to activate the malware deployment process. The malware is designed to launch a PowerShell script that retrieves a ZIP archive file, install invasive dependencies such as pynput, pydirectinput, and pyscreenshot, and run a Visual Basic Script extracted from the archive to execute more PowerShell code. "These libraries allow one to control and monitor mouse and keyboard input and capture screen contents," Phylum said in a technical report published...