Malicious updates have been recently issued to the Python Package Index package "django-log-tracker," which was last modified in April 2022, to facilitate the distribution of the Nova Sentinel information-stealing malware, The Hacker News reports.
Attackers behind the most recent version of the package, which amassed 107 downloads before being taken down, only retained the original package's __init__.py and example.py file while allowing the retrieval of an executable, which is then deployed through a Python function, a report from Phylum revealed. Such an executable was discovered to contain an Electron app, which was reported by Sekoia to have been used to spread Nova Sentinel.
"What's interesting about this particular case [...] is that the attack vector appeared to be an attempted supply-chain attack via a compromised PyPI account. If this had been a really popular package, any project with this package listed as a dependency without a version specified or a flexible version specified in their dependency file would have pulled the latest, malicious version of this package," said Phylum.
