Malicious Python packages proliferate

BleepingComputer reports that information- and cryptocurrency-stealing malware were discovered across 272 Python packages with nearly 75,000 downloads that are part of a malicious campaign that has been increasingly sophisticated during the last six months. Malware leveraged in the campaign has not only targeted browser-stored data, cryptocurrency wallet information, and Discord, Minecraft, and Roblox details, but also enabled screenshot capturing and file exfiltration from impacted systems, as well as app data manipulation, according to Checkmarx Supply Chain Security report. While malicious code in packages discovered in April was in plain text, attackers eventually added encryption and other obfuscation techniques in the succeeding months, with a separate Checkmarx report noting 70 layers of obfuscation used in the campaign. With such a campaign posing a supply chain attack risk, developers and other users have been urged to carefully examine projects and package publishers on GitHub, PyPI, NPM, and other repositories and package registries.