Info-stealers deployed by dozens of PyPi packages

Twenty-nine Python packages on the PyPi registry have been discovered to be deploying the new info-stealer dubbed "W4SP," which enables Discord token, cookie, and saved password exfiltration, according to BleepingComputer. Threat actors have published typosquatted packages named to resemble known Python libraries to facilitate the spread of the info-stealer, a report from software supply chain security company Phylum revealed. One of the malicious packages, typesutil, has been found to allow code injection through the "__import__" statement of legitimate libraries' codebase. "The benefit this attacker gained from copying an existing legitimate package, is that because the PyPI landing page for the package is generated from the setup.py and the README.md, they immediately have a real looking landing page with mostly working links and the whole bit. Unless thoroughly inspected, a brief glance might lead one to believe this is also a legitimate package," wrote Phylum researchers. Meanwhile, two other PyPI packages dubbed "threadings" and "pystile" have been discovered by software developer Hauke Lbbers to spread the GyruzPIP malware, which also allows the theft of Discord tokens, browser cookies, and passwords.