Malicious Python Package Hides Sliver C2 Framework in Fake Requests Library Logo
May 13, 2024
Software Security / Malware
Cybersecurity researchers have identified a malicious Python package that purports to be an offshoot of the popular requests library and has been found concealing a Golang-version of the Sliver command-and-control (C2) framework within a PNG image of the project's logo. The package employing this steganographic trickery is requests-darwin-lite , which has been downloaded 417 times prior to it being taken down from the Python Package Index (PyPI) registry. Requests-darwin-lite "appeared to be a fork of the ever-popular requests package with a few key differences, most notably the inclusion of a malicious Go binary packed into a large version of the actual requests side-bar PNG logo," software supply chain security firm Phylum said . The changes have been introduced in the package's setup.py file, which has been configured to decode and execute a Base64-encoded command to gather the system's Universally Unique Identifier ( UUID ), but...
