BleepingComputer reports that information- and cryptocurrency-stealing malware were discovered across 272 Python packages with nearly 75,000 downloads that are part of a malicious campaign that has been increasingly sophisticated during the last six months.
Malware leveraged in the campaign has not only targeted browser-stored data, cryptocurrency wallet information, and Discord, Minecraft, and Roblox details, but also enabled screenshot capturing and file exfiltration from impacted systems, as well as app data manipulation, according to Checkmarx Supply Chain Security report. While malicious code in packages discovered in April was in plain text, attackers eventually added encryption and other obfuscation techniques in the succeeding months, with a separate Checkmarx report noting 70 layers of obfuscation used in the campaign. With such a campaign posing a supply chain attack risk, developers and other users have been urged to carefully examine projects and package publishers on GitHub, PyPI, NPM, and other repositories and package registries.
A GitHub Actions workflow could have been used for a command injection vulnerability in Bazel, which had the potential for threat actors to add malicious code into the production environment for projects using the Google open-source product.
Numerous cybersecurity researchers have already released their proof-of-concept exploits for a critical vulnerability impacting open-source automation server Jenkins on GitHub, reports BleepingComputer.