Python | Breaking Cybersecurity News | The Hacker News

Four different rogue packages in the Python Package Index ( PyPI ) have been found to carry out a number of malicious actions, including dropping malware, deleting the netstat utility, and manipulating the SSH authorized_keys file. The packages in question are  aptx ,  bingchilling2 ,  httops , and  tkint3rs , all of which were collectively downloaded about 450 times before they were taken down. While aptx is an attempt to impersonate Qualcomm's  highly popular audio codec  of the same name, httops and tkint3rs are typosquats of https and tkinter, respectively. "Most of these packages had well thought out names, to purposely confuse people," security researcher and journalist Ax Sharma  said . An analysis of the malicious code injected in the setup script reveals the presence of an obfuscated  Meterpreter payload  that's disguised as " pip ," a legitimate package installer for Python, and which can be leveraged to gain shell access to the infected host.

Cybersecurity researchers have unearthed a new attack campaign that leverages a Python-based remote access trojan (RAT) to gain control over compromised systems since at least August 2022. "This malware is unique in its utilization of  WebSockets  to avoid detection and for both command-and-control (C2) communication and exfiltration," Securonix  said  in a report shared with The Hacker News. The malware, dubbed PY#RATION by the cybersecurity firm, comes with a host of capabilities that allows the threat actor to harvest sensitive information. Later versions of the backdoor also sport anti-evasion techniques, suggesting that it's being actively developed and maintained. The attack commences with a phishing email containing a ZIP archive, which, in turn, harbors two shortcut (.LNK) files that masquerade as front and back side images of a seemingly legitimate U.K. driver's license. Opening each of the .LNK files retrieves two text files from a remote server that a

It comes as no surprise that today's cyber threats are orders of magnitude more complex than those of the past. And the ever-evolving tactics that attackers use demand the adoption of better, more holistic and consolidated ways to meet this non-stop challenge. Security teams constantly look for ways to reduce risk while improving security posture, but many approaches offer piecemeal solutions – zeroing in on one particular element of the evolving threat landscape challenge – missing the forest for the trees.  In the last few years, Exposure Management has become known as a comprehensive way of reigning in the chaos, giving organizations a true fighting chance to reduce risk and improve posture. In this article I'll cover what Exposure Management is, how it stacks up against some alternative approaches and why building an Exposure Management program should be on  your 2024 to-do list. What is Exposure Management?  Exposure Management is the systematic identification, evaluation,

In yet another campaign targeting the Python Package Index (PyPI) repository, six malicious packages have been found deploying information stealers on developer systems. The now-removed packages, which were  discovered  by Phylum between December 22 and December 31, 2022, include pyrologin, easytimestamp, discorder, discord-dev, style.py, and pythonstyles. The malicious code, as is  increasingly the case , is concealed in the setup script (setup.py) of these libraries, meaning running a "pip install" command is enough to activate the malware deployment process. The malware is designed to launch a PowerShell script that retrieves a ZIP archive file, install invasive dependencies such as pynput, pydirectinput, and pyscreenshot, and run a Visual Basic Script extracted from the archive to execute more PowerShell code. "These libraries allow one to control and monitor mouse and keyboard input and capture screen contents," Phylum said in a technical report published

A financially motivated threat actor tracked as  Blind Eagle  has resurfaced with a refined toolset and an elaborate infection chain as part of its attacks targeting organizations in Colombia and Ecuador. Check Point's  latest research  offers new insights into the Spanish-speaking group's tactics and techniques, including the use of sophisticated tools and government-themed lures to activate the killchain. Also tracked under the name APT-C-36, Blind Eagle is notable for its narrow geographical focus and launching indiscriminate attacks against South American nations since at least 2018. Blind Eagle's operations have been  documented  by Trend Micro in September 2021, when it described a spear-phishing campaign primarily aimed at Colombian entities that's designed to deliver a commodity malware known as  BitRAT , with a lesser focus towards targets in Ecuador, Spain, and Panama. Attack chains commence with phishing emails containing a booby-trapped link that, when

Cybersecurity researchers have uncovered 29 packages in Python Package Index (PyPI), the official third-party software repository for the Python programming language, that aim to infect developers' machines with a malware called W4SP Stealer . "The main attack seems to have started around October 12, 2022, slowly picking up steam to a concentrated effort around October 22," software supply chain security company Phylum  said  in a report published this week. The list of offending packages is as follows: typesutil, typestring, sutiltype, duonet, fatnoob, strinfer, pydprotect, incrivelsim, twyne, pyptext, installpy, faq, colorwin, requests-httpx, colorsama, shaasigma, stringe, felpesviadinho, cypress, pystyte, pyslyte, pystyle, pyurllib, algorithmic, oiu, iao, curlapi, type-color, and pyhints. Collectively, the packages have been downloaded more than 5,700 times, with some of the libraries (e.g., twyne and colorsama) relying on typosquatting to trick unsuspecting users

As many as 350,000 open source projects are believed to be potentially vulnerable to exploitation as a result of a security flaw in a Python module that has remained unpatched for 15 years. The open source repositories span a number of industry verticals, such as software development, artificial intelligence/machine learning, web development, media, security, and IT management. The shortcoming, tracked as  CVE-2007-4559  (CVSS score: 6.8), is rooted in the tarfile module, successful exploitation of which could lead to code execution from an arbitrary file write. "The vulnerability is a path traversal attack in the extract and extractall functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the '..' sequence to filenames in a TAR archive," Trellix security researcher Kasimir Schulz  said  in a writeup. Originally disclosed in August 2007, the bug has to do with how a specially crafted tar archive can be leveraged to overwri

The Python Package Index, PyPI, on Wednesday sounded the alarm about an ongoing phishing campaign that aims to steal developer credentials and inject malicious updates to legitimate packages. "This is the first known phishing attack against PyPI," the maintainers of the official third-party software repository  said  in a series of tweets. The social engineering attack entails sending security-themed messages that create a false sense of urgency by informing recipients that Google is implementing a mandatory validation process on all packages and that they need to click on a link to complete the validation before September, or risk getting their PyPI modules removed. Should an unsuspecting developer fall for the scheme, users are directed to a lookalike landing page that mimics PyPI's login page and is hosted on Google Sites, from where the entered credentials are captured and abused to unauthorizedly access the accounts and compromise the packages to include malware

In what's yet another instance of malicious packages creeping into public code repositories, 10 modules have been removed from the Python Package Index (PyPI) for their ability to harvest critical data points such as passwords and API tokens. The packages "install info-stealers that enable attackers to steal developer's private data and personal credentials," Israeli cybersecurity firm Check Point  said  in a Monday report. A short summary of the offending packages is below - Ascii2text , which downloads a nefarious script that gathers passwords stored in web browsers such as Google Chrome, Microsoft Edge, Brave, Opera, and Yandex Browser Pyg-utils, Pymocks, and PyProto2 , which are designed to  steal users' AWS credentials Test-async and Zlibsrc , which download and execute malicious code during installation Free-net-vpn, Free-net-vpn2, and WINRPCexploit , which steal user credentials and environment variables, and Browserdiv , which are capable of coll

The maintainers of the official third-party software repository for Python have begun imposing a new two-factor authentication (2FA) condition for projects deemed "critical." "We've begun rolling out a 2FA requirement: soon, maintainers of critical projects must have 2FA enabled to publish, update, or modify them," Python Package Index (PyPI)  said  in a tweet last week. "Any maintainer of a critical project (both 'Maintainers' and 'Owners') are included in the 2FA requirement," it  added . Additionally, the developers of critical projects who have not previously turned on 2FA on PyPi are being offered free hardware security keys from the Google Open Source Security Team. PyPI, which is run by the Python Software Foundation, houses more than 350,000 projects, of which over  3,500 projects  are said to be tagged with a "critical" designation. According to the repository maintainers, any project accounting for the top 1%

Researchers have discovered a number of malicious Python packages in the official third-party software repository that are engineered to exfiltrate AWS credentials and environment variables to a publicly exposed endpoint. The list of packages includes loglib-modules, pyg-modules, pygrata, pygrata-utils, and hkg-sol-utils, according to Sonatype security researcher Ax Sharma. The packages and as well as the endpoint have now been taken down. "Some of these packages either contain code that reads and exfiltrates your secrets or use one of the dependencies that will do the job," Sharma  said . The malicious code injected into "loglib-modules" and "pygrata-utils" allow the packages to harvest AWS credentials, network interface information, and environment variables and export them to a remote endpoint: "hxxp://graph.pygrata[.]com:8000/upload." Troublingly, the endpoints hosting this information in the form of hundreds of .TXT files were not secu

Researchers have disclosed what they say is the first-ever Python-based ransomware strain specifically designed to target exposed Jupyter notebooks, a web-based interactive computing platform that allows editing and running programs via a browser. "The attackers gained initial access via misconfigured environments, then ran a ransomware script that encrypts every file on a given path on the server and deletes itself after execution to conceal the attack," Assaf Morag, a data analyst at Aqua Security,  said  in a report. The new ransomware sample, which the cloud security firm detected after it was trapped in one of its honeypot servers, is said to have been executed after the unnamed adversary gained access to the server and downloaded the necessary tools required to carry out the encryption process by opening a terminal. Aqua Security characterized the attack as "simple and straightforward," unlike other traditional ransomware-as-a-service (RaaS) schemes, add

Cybersecurity researchers have uncovered as many as 11 malicious Python packages that have been cumulatively downloaded more than 41,000 times from the Python Package Index (PyPI) repository, and could be exploited to steal Discord access tokens, passwords, and even stage dependency confusion attacks. The Python packages have since been removed from the repository following responsible disclosure by DevOps firm JFrog — importantpackage / important-package pptest ipboards owlmoon DiscordSafety trrfab 10Cent10 / 10Cent11 yandex-yt yiffparty Two of the packages ("importantpackage," "10Cent10," and their variants) were found obtaining a reverse shell on a compromised machine, giving the attacker full control over the system. Two other packages "ipboards" and "trrfab" masqueraded as legitimate dependencies designed to be automatically imported by taking advantage of a technique called  dependency confusion  or namespace confusion. Unli

A high-severity code injection vulnerability has been disclosed in 23andMe's Yamale, a schema and validator for YAML, that could be trivially exploited by adversaries to execute arbitrary Python code. The flaw, tracked as  CVE-2021-38305  (CVSS score: 7.8), involves manipulating the schema file provided as input to the tool to circumvent protections and achieve code execution. Particularly, the  issue  resides in the schema parsing function, which allows any input passed to be evaluated and executed, resulting in a scenario where a specially-crafted string within the schema can be abused for the injection of system commands. Yamale is a Python package that allows developers to validate YAML — a data serialization language often used for writing configuration files — from the command line. The package is used by at least  224 repositories  on GitHub.  "This gap allows attackers that can provide an input schema file to perform Python code injection that leads to code execut

The maintainers of Python Package Index (PyPI) last week issued fixes for three vulnerabilities, one among which could be abused to achieve arbitrary code execution and take full control of the official third-party software repository. The security weaknesses were  discovered  and reported by Japanese security researcher RyotaK, who in the past has disclosed critical vulnerabilities in the  Homebrew Cask repository  and Cloudflare's  CDNJS library . He was awarded a total of $3,000 as part of the bug bounty program. The list of three vulnerabilities is as follows - Vulnerability in Legacy Document Deletion on PyPI  - An exploitable vulnerability in the mechanisms for deleting legacy documentation hosting deployment tooling on PyPI, which would allow an attacker to remove documentation for projects not under their control. Vulnerability in Role Deletion on PyPI  - An exploitable vulnerability in the mechanisms for deleting roles on PyPI was discovered by a security researcher

As many as eight Python packages that were downloaded more than 30,000 times have been removed from the PyPI portal for containing malicious code, once again highlighting how software package repositories are evolving into a popular target for supply chain attacks. "Lack of moderation and automated security controls in public software repositories allow even inexperienced attackers to use them as a platform to spread malware, whether through typosquatting, dependency confusion, or simple social engineering attacks," JFrog researchers Andrey Polkovnichenko, Omer Kaspi, and Shachar Menashe  said  Thursday. PyPI, short for Python Package Index, is the official third-party software repository for Python, with package manager utilities like  pip  relying on it as the default source for packages and their dependencies. The Python packages in question, which were found to be obfuscated using Base64 encoding, are listed below - pytagora (uploaded by leonora123) pytagora2 (upl

A new malware campaign has been found using coronavirus-themed lures to strike government and energy sectors in Azerbaijan with remote access trojans (RAT) capable of exfiltrating sensitive documents, keystrokes, passwords, and even images from the webcam. The targeted attacks employ Microsoft Word documents as droppers to deploy a previously unknown Python-based RAT dubbed "PoetRAT" due to various references to sonnets by English playwright William Shakespeare. "The RAT has all the standard features of this kind of malware, providing full control of the compromised system to the operation," said Cisco Talos in an analysis published last week. According to the researchers, the malware specifically targets supervisory control and data acquisition (SCADA) systems in the energy industry, such as wind turbine systems, whose identities are currently not known. The development is the latest in a surge in cyberattacks exploiting the ongoing coronavirus pandemi

Malware or computer virus can infect your computer in several different ways, but one of the most common methods of its delivery is through malicious file attachments over emails that execute the malware when you open them. Therefore, to protect its users from malicious scripts and executable, Microsoft is planning to blacklist 38 additional file extensions by adding them to its list of file extensions that are blocked from being downloaded as attachments in Outlook on the Web. Previously known as Outlook Web Application or OWA, "Outlook on the Web" is Microsoft's web-based email client for users to access their emails, calendars, tasks and contacts from Microsoft's on-premises Exchange Server and cloud-based Exchange Online. The list of blocked file extensions currently has 104 entries, including .exe, .url, .com, .cmd, .asp, .lnk, .js, .jar, .tmp, .app, .isp, .hlp, .pif, .msi, .msh, and more. Now, the expanded block list will also include 38 new extensions

It's no secret that learning how to code is one of the most important things you can do when it comes to the beginning or furthering practically any career in programming and technology. The only problem a beginner often faces is that there are seemingly countless programming languages to choose from, which makes it exceedingly difficult for aspiring or even seasoned programmers to know which language to learn next. But if you haven't already learned Python, look no further. Python is no doubt one of the most powerful and popular programming languages on the planet, and the Complete Python Programming Bundle will teach you everything you need to know for more than 90% off at just $79. With seven modules led by expert instructors, this bundle walks you through everything from the fundamental aspects of Python to its most advanced tricks and tools. Whether you're just embarking on a career in coding and development, or you are a veteran programmer who wants to add

Security researchers have been warning of a few newly detected variants of python -based adware that are being distributed in the wild not only to inject ads but also found installing malicious browser extensions and hidden cryptocurrency miner into victims' computers. Dubbed PBot , or PythonBot , the adware was first uncovered more than a year ago, but since then the malware has evolved, as its authors have been trying different money-making schemes to profit themselves, according to researchers at Kaspersky Labs. The previous versions of the PBot malware were designed to perform man-in-the-browser (MITB) attacks to inject unwanted advertising scripts on web pages visited by the victim, but the newer variants have been found installing malicious ad extensions in the web browser. "Developers are constantly releasing new versions of this modification, each of which complicates the script obfuscation," Kaspersky researchers said in their blog post published today.

This newly discovered bugs in Java and Python is a big deal today. The two popular programming languages, Java and Python, contain similar security flaws that can be exploited to send unauthorized emails and bypass any firewall defenses. And since both the flaws remain unpatched, hackers can take advantage to design potential cyber attack operations against critical networks and infrastructures. The unpatched flaws actually reside in the way Java and Python programming languages handle File Transfer Protocol (FTP) links, where they don't syntax-check the username parameter, which leads to, what researchers call, protocol injection flaw. Java/Python FTP Injection to Send Unauthorized SMTP Emails In a blog pos t published over the past week, security researcher Alexander Klink detailed the FTP protocol injection vulnerability in Java's XML eXternal Entity (XXE) that allows attackers to inject non-FTP malicious commands inside an FTP connection request. To demonst