Twenty-nine Python packages on the PyPi registry have been discovered to be deploying the new info-stealer dubbed "W4SP," which enables Discord token, cookie, and saved password exfiltration, according to BleepingComputer.
Threat actors have published typosquatted packages named to resemble known Python libraries to facilitate the spread of the info-stealer, a report from software supply chain security company Phylum revealed. One of the malicious packages, typesutil, has been found to allow code injection through the "__import__" statement of legitimate libraries' codebase.
"The benefit this attacker gained from copying an existing legitimate package, is that because the PyPI landing page for the package is generated from the setup.py and the README.md, they immediately have a real looking landing page with mostly working links and the whole bit. Unless thoroughly inspected, a brief glance might lead one to believe this is also a legitimate package," wrote Phylum researchers.
Meanwhile, two other PyPI packages dubbed "threadings" and "pystile" have been discovered by software developer Hauke Lbbers to spread the GyruzPIP malware, which also allows the theft of Discord tokens, browser cookies, and passwords.
Organizations in the government, real estate, telecommunications, retail, and other sectors across the U.S., Africa, and the Middle East have been subjected to intrusions under the new CL-STA-0002 threat cluster.
BBC News reports that major online travel agency Booking.com had its customers in the U.S., UK, and other parts of the world impacted by fraud following a social engineering attack that involved the deployment of the Vidar information-stealing malware.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news