PyPI | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have detailed a now-patched vulnerability in Google Cloud Platform (GCP) that could have enabled an attacker to elevate their privileges in the Cloud Composer workflow orchestration service that's based on Apache Airflow. "This vulnerability lets attackers with edit permissions in Cloud Composer to escalate their access to the default Cloud Build service account, which has high-level permissions across GCP services like Cloud Build itself, Cloud Storage, and Artifact Registry," Liv Matan, senior security researcher at Tenable, said in a report shared with The Hacker News. The shortcoming has been codenamed ConfusedComposer by the cybersecurity company, describing it as a variant of ConfusedFunction , a privilege escalation vulnerability impacting GCP's Cloud Functions service that an attacker could exploit to access other services and sensitive data in an unauthorized manner. The disclosure comes weeks after Tenable detailed another pr...

Cybersecurity researchers have disclosed a malicious package uploaded to the Python Package Index (PyPI) repository that's designed to reroute trading orders placed on the MEXC cryptocurrency exchange to a malicious server and steal tokens. The package, ccxt-mexc-futures, purports to be an extension built on top of a popular Python library named ccxt (short for CryptoCurrency eXchange Trading), which is used to connect and trade with several cryptocurrency exchanges and facilitate payment processing services. The malicious package is no longer available on PyPI, but statistics on pepy.tech shows that it has been downloaded at least 1,065 times . "The authors of the malicious ccxt-mexc-futures package, claim in its README file that it extends the CCXT package to support 'futures' trade on MEXC," JFrog researcher Guy Korolevski said in a report shared with The Hacker News. However, a deeper examination of the library has revealed that it specifically overr...

Cybersecurity researchers have discovered a malicious Python package on the Python Package Index (PyPI) repository that's equipped to steal a victim's Ethereum private keys by impersonating popular libraries. The package in question is set-utils , which has received 1,077 downloads to date. It's no longer available for download from the official registry. "Disguised as a simple utility for Python sets, the package mimics widely used libraries like python-utils (712M+ downloads) and utils (23.5M + downloads)," software supply chain security company Socket said . "This deception tricks unsuspecting developers into installing the compromised package, granting attackers unauthorized access to Ethereum wallets." The package aims to target Ethereum developers and organizations working with Python-based blockchain applications, particularly Python-based wallet management libraries like eth-account. Besides embedding the attacker's RSA public key to...

The maintainers of the Python Package Index (PyPI) registry have announced a new feature that allows package developers to archive a project as part of efforts to improve supply chain security . "Maintainers can now archive a project to let users know that the project is not expected to receive any more updates," Facundo Tuesca, senior engineer at Trail of Bits, said . In doing so, the idea is to clearly signal to developers that the Python libraries are no longer being actively maintained and that no future security fixes or product updates should be expected. That said, projects labeled as archived will continue to remain available on PyPI and users can continue to install it without any issues. In a separate blog post detailing the feature, Tuesca said the maintainers are considering additional maintainer-controlled statuses to better communicate a project's status to downstream consumers. PyPI also recommends that package developers release a final version pr...

Cybersecurity researchers have identified three sets of malicious packages across the npm and Python Package Index (PyPI) repository that come with capabilities to steal data and even delete sensitive data from infected systems. The list of identified packages is below - @async-mutex/mutex, a typosquat of async-mute (npm) dexscreener, which masquerades as a library for accessing liquidity pool data from decentralized exchanges (DEXs) and interacting with the DEX Screener platform (npm) solana-transaction-toolkit (npm) solana-stable-web-huks (npm) cschokidar-next, a typosquat of chokidar (npm) achokidar-next, a typosquat of chokidar (npm) achalk-next, a typosquat of chalk (npm) csbchalk-next, a typosquat of chalk (npm) cschalk, a typosquat of chalk (npm) pycord-self, a typosquat of discord.py-self (PyPI) Supply chain security company Socket, which discovered the packages, said the first four packages are designed to intercept Solana private keys and transmit them throug...

Cybersecurity researchers have flagged two malicious packages that were uploaded to the Python Package Index (PyPI) repository and came fitted with capabilities to exfiltrate sensitive information from compromised hosts, according to new findings from Fortinet FortiGuard Labs. The packages, named zebo and cometlogger , attracted 118 and 164 downloads each, prior to them being taken down. According to ClickPy statistics, a majority of these downloads came from the United States, China, Russia, and India.  Zebo is a "typical example of malware, with functions designed for surveillance, data exfiltration, and unauthorized control," security researcher Jenna Wang said, adding cometlogger "also shows signs of malicious behavior, including dynamic file manipulation, webhook injection, stealing information, and anti-[virtual machine] checks." The first of the two packages, zebo, uses obfuscation techniques, such as hex-encoded strings, to conceal the URL of the co...

The administrators of the Python Package Index (PyPI) repository have quarantined the package " aiocpa " following a new update that included malicious code to exfiltrate private keys via Telegram. The package in question is described as a synchronous and asynchronous Crypto Pay API client. The package, originally released in September 2024, has been downloaded 12,100 times to date. By putting the Python library in quarantine, it prevents further installation by clients and cannot be modified by its maintainers.  Cybersecurity outfit Phylum, which shared details of the software supply chain attack last week, said the author of the package published the malicious update to PyPI, while keeping the library's GitHub repository clean in an attempt to evade detection. It's currently not clear if the original developer was behind the rogue update or if their credentials were compromised by a different threat actor. Signs of malicious activity were first spotted i...

Threat actors with ties to North Korea have been observed using poisoned Python packages as a way to deliver a new malware called PondRAT as part of an ongoing campaign. PondRAT, according to new findings from Palo Alto Networks Unit 42, is assessed to be a lighter version of POOLRAT (aka SIMPLESEA), a known macOS backdoor that has been previously attributed to the Lazarus Group and deployed in attacks related to the 3CX supply chain compromise last year. Some of these attacks are part of a persistent cyber attack campaign dubbed Operation Dream Job , wherein prospective targets are lured with enticing job offers in an attempt to trick them into downloading malware. "The attackers behind this campaign uploaded several poisoned Python packages to PyPI, a popular repository of open-source Python packages," Unit 42 researcher Yoav Zemah said , linking the activity with moderate confidence to a threat actor called Gleaming Pisces. The adversary is also tracked by the wid...

A new supply chain attack technique targeting the Python Package Index (PyPI) registry has been exploited in the wild in an attempt to infiltrate downstream organizations. It has been codenamed Revival Hijack by software supply chain security firm JFrog, which said the attack method could be used to hijack 22,000 existing PyPI packages and result in "hundreds of thousands" of malicious package downloads. These susceptible packages have more than 100,000 downloads or have been active for over six months. "This attack technique involves hijacking PyPI software packages by manipulating the option to re-register them once they're removed from PyPI's index by the original owner," JFrog security researchers Andrey Polkovnychenko and Brian Moussalli said in a report shared with The Hacker News. At its core, the attack hinges on the fact that Python packages published in the PyPI repository may get removed, making available the names of those deleted projects ...

Researchers have identified a dependency confusion vulnerability impacting an archived Apache project called Cordova App Harness . Dependency confusion attacks  take place owing to the fact that package managers check the public repositories before private registries, thus allowing a threat actor to publish a malicious package with the same name to a public package repository. This causes the package manager to inadvertently download the fraudulent package from the public repository instead of the intended private repository. If successful, it can have serious consequences, such as infecting all downstream customers that install the package. A May 2023 analysis of npm and PyPI packages stored in cloud environments by enterprise security company Orca  revealed  that nearly 49% of organizations are vulnerable to a dependency confusion attack. While npm and other package managers have since introduced fixes to prioritize the private versions, a...

GitGuardian is famous for its annual  State of Secrets Sprawl  report. In their 2023 report, they found over 10 million exposed passwords, API keys, and other credentials exposed in public GitHub commits. The takeaways in their 2024 report did not just highlight 12.8 million  new  exposed secrets in GitHub, but a number in the popular Python package repository  PyPI . PyPI, short for the Python Package Index, hosts over 20 terabytes of files that are freely available for use in Python projects. If you've ever typed pip install [name of package], it likely pulled that package from PyPI. A lot of people use it too. Whether it's GitHub, PyPI, or others, the report states, "open-source packages make up an estimated 90% of the code run in production today. "  It's easy to see why that is when these packages help developers avoid the reinvention of millions of wheels every day. In the 2024 report, GitGuardian reported finding over 11,000 exposed  unique...

Threat hunters have discovered a set of seven packages on the Python Package Index (PyPI) repository that are designed to steal  BIP39 mnemonic phrases  used for recovering private keys of a cryptocurrency wallet. The software supply chain attack campaign has been codenamed BIPClip by ReversingLabs. The packages were collectively downloaded 7,451 times prior to them being removed from PyPI. The list of packages is as follows - jsBIP39-decrypt  (126 downloads) bip39-mnemonic-decrypt  (689 downloads) mnemonic_to_address  (771 downloads) erc20-scanner  (343 downloads) public-address-generator  (1,005 downloads) hashdecrypt  (4,292 downloads) hashdecrypts  (225 downloads) BIPClip, which is aimed at developers working on projects related to generating and securing cryptocurrency wallets, is said to be active since at least December 4, 2022, when hashdecrypt was first published to the registry. "This is just the latest software supply ...

The notorious North Korean state-backed hacking group Lazarus uploaded four packages to the Python Package Index (PyPI) repository with the goal of infecting developer systems with malware. The packages, now taken down, are  pycryptoenv ,  pycryptoconf ,  quasarlib , and  swapmempool . They have been collectively downloaded 3,269 times, with pycryptoconf accounting for the most downloads at 1,351. "The package names pycryptoenv and pycryptoconf are similar to pycrypto, which is a Python package used for encryption algorithms in Python," JPCERT/CC researcher Shusei Tomonaga  said . "Therefore, the attacker probably prepared the malware-containing malicious packages to target users' typos in installing Python packages." The disclosure comes days after Phylum  uncovered  several rogue packages on the npm registry that have been used to single out software developers as part of a campaign codenamed Contagious Interview. An interesting commonality bet...

A new set of malicious Python packages has slithered their way to the Python Package Index (PyPI) repository with the ultimate aim of stealing sensitive information from compromised developer systems. The packages masquerade as seemingly innocuous obfuscation tools, but harbor a piece of malware called  BlazeStealer , Checkmarx said in a report shared with The Hacker News. "[BlazeStealer] retrieves an additional malicious script from an external source, enabling a Discord bot that gives attackers complete control over the victim's computer," security researcher Yehuda Gelb said. The campaign, which commenced in January 2023, entails a total of eight packages named Pyobftoexe, Pyobfusfile, Pyobfexecute, Pyobfpremium, Pyobflite, Pyobfadvance, Pyobfuse, and pyobfgood, the last of which was published in October.  These modules come with setup.py and init.py files that are designed to retrieve a Python script hosted on transfer[.]sh, which gets executed immediately upon...

The Python Package Index (PyPI) announced last week that every account that maintains a project on the official third-party software repository will be required to turn on two-factor authentication ( 2FA ) by the end of the year. "Between now and the end of the year, PyPI will begin gating access to certain site functionality based on 2FA usage," PyPI administrator Donald Stufft said. "In addition, we may begin selecting certain users or projects for early enforcement." The enforcement also includes  organization maintainers , but does not extend to every single user of the service. The goal is to neutralize the threats posed by account takeover attacks, which an attacker can leverage to distribute trojanized versions of popular packages to poison the software supply chain and deploy malware on a large scale. PyPI, like other open source repositories such as npm, has  witnessed  innumerable instances of malware and package impersonation. Earlier this month, F...

Four different rogue packages in the Python Package Index ( PyPI ) have been found to carry out a number of malicious actions, including dropping malware, deleting the netstat utility, and manipulating the SSH authorized_keys file. The packages in question are  aptx ,  bingchilling2 ,  httops , and  tkint3rs , all of which were collectively downloaded about 450 times before they were taken down. While aptx is an attempt to impersonate Qualcomm's  highly popular audio codec  of the same name, httops and tkint3rs are typosquats of https and tkinter, respectively. "Most of these packages had well thought out names, to purposely confuse people," security researcher and journalist Ax Sharma  said . An analysis of the malicious code injected in the setup script reveals the presence of an obfuscated  Meterpreter payload  that's disguised as " pip ," a legitimate package installer for Python, and which can be leveraged to gain shell access to the...

A threat actor by the name  Lolip0p  has uploaded three rogue packages to the Python Package Index (PyPI) repository that are designed to drop malware on compromised developer systems. The packages – named  colorslib  (versions 4.6.11 and 4.6.12),  httpslib  (versions 4.6.9 and 4.6.11), and  libhttps  (version 4.6.12) – by the author between January 7, 2023, and January 12, 2023. They have since been yanked from PyPI but not before they were cumulatively downloaded over 550 times. The modules come with identical setup scripts that are designed to invoke PowerShell and run a malicious binary (" Oxzy.exe ") hosted on Dropbox, Fortinet  disclosed  in a report published last week. The executable, once launched, triggers the retrieval of a next-stage, also a binary named  update.exe , that runs in the Windows temporary folder ("%USER%\AppData\Local\Temp\"). update.exe is flagged by antivirus vendors on VirusTotal as an information ...