Check Point Research (CPR) detects a new malicious package on PyPI, the repository of software for the Python programming language. The malicious package was designed to hide code in images and infect through open-source projects on GitHub. CPR believes its findings reflect careful planning and thought by a threat actor, who proves that obfuscation techniques on PyPI have evolved.
∙ Infection designed to take place through GitHub ‘legitimate’ projects
∙ CPR shares image it found where malicious code was hidden behind
∙ CPR responsibly disclosed findings to PyPI, who removed threat
Check Point Research (CPR) detected a new malicious package on PyPI, the repository of software for the Python programming language. This malicious package is distinct in two ways:
- It hides the malicious code inside an image
- The main infection area is GitHub
Hiding Code in Images
CPR found that code was obfuscated inside the following image.
Infection via GitHub
The infection process goes as follows: searching the web for legitimate projects, one will come across these GitHub open-sourced projects and will install it locally, not knowing it brings in a malicious package import. From the installer point of view, they are trying an open-source project from GitHub, not knowing it hides a malicious Trojan part inside it.
CPR responsibly disclosed its findings to PyPI, who quickly removed the malicious package.
Quote: Ori Abramovsky, Head of Data Science, SpectralOps (a Check Point company):
“We constantly scan PyPI for malicious packages and responsibly report them to PyPI. This one is unique and distinct from almost all the malicious packages we have encountered before. This package differs in the way it camouflages its intent, and the way in which it targets PyPI users to infect them with malicious imports on GitHub. Our findings indicate that PyPI malicious packages and their obfuscation techniques are fast-evolving. The package we have shared here reflects careful and meticulous work. It is not the regular copy and past that we commonly see, but what seems like a real campaign. The creation of the GitHub projects, then smartly hiding the code and downplaying the packages on PyPI, are all sophisticated work.”
- Use services like threat code scanners to double check the 3rd party packages
- Approach with suspicion. Even if you see a project on GitHub with stars and forks, it can be a synthetically generated fake view
- Double check and explore code you do not own