Malicious open-source Python .whl (Wheel) files were found distributing a new malware named KEKW that can steal sensitive information from infected systems by incorporating clipper activities with infostealers to hijack cryptocurrency transactions.
In a blog post on May 3, Cyble Research and Intelligence Labs (CRIL) explained that the Python packages under scrutiny were not present in the actual PyPI (Python Package Index) repository, indicating that the Python security team removed the malicious packages.
CRIL also verified with the Python security team on May 2 that the security team took down the malicious packages within 48 hours of them being uploaded. Because the malicious packages were taken down quickly, CRIL said it’s impossible to determine the number of people who downloaded them. However, they believe that the impact of the incident may have been minimal.
The incident brings up an ongoing issue for the open-source community. PyPI has become a widely used repository for software packages using the Python programming language. Developers used it to share and download Python code. Because of the widespread use of PyPI, it’s now become a desirable target for threat actors looking to attack developers.
CRIL researchers say the malicious packages are usually uploaded by disguising them as useful software or by imitating well-known projects by altering their names. In the past, CRIL has encountered multiple instances where attackers have used PyPI packages to distribute malware payloads. In addition, the frequency of infostealers being disseminated through malicious PyPI packages has also increased.
Threat actors are taking advantage of open-source software vulnerabilities because of the lack of resources in open-source development and open-source (and some sponsored) delivery chains, such as NPM and PyPI, explained Scott Gerlach, co-founder and CSO at StackHawk. Gerlach said taking over abandoned projects, name spoofing, and malicious contributions are some ways attackers take advantage of under-resourced teams providing these pipelines.
“Organizations can start addressing this issue by contributing to open source projects with time and or money,” said Gerlach. “Providing source code contribution, code reviews, or helping with processes to protect those delivery chains can help add much needed resources to help protect these software and delivery mechanisms. This vector is being exploited due to its relatively low cost of entry and high effectiveness. It’s going to get harder and harder to keep up with such an effective attack vector without a major change in how these libraries get delivered into software that uses them.”
Mike Parkin, senior technical engineer at Vulcan Cyber, added that the case reported on by Cyble serves as good example of the kind of supply chain attack threat actors have been favoring recently. Parkin said it’s also a good example of the proper response by the team running the repository that quickly identified and removed the offending files.
“It's unlikely many projects were affected by these malicious libraries, but even if a few were compromised, it points to an issue with developers not necessarily doing enough to vet the code they're including in their projects,” said Parkin. “It's impractical to expect public repositories to do the job for you. While they do a lot, we can expect threat actors to keep using this approach, and the responsibility for vetting the libraries in use ultimately falls to the developers.”
Aviad Gershon, security researcher at Checkmarx, said the method of stealing cryptocurrency by altering the victim's clipboard has becoming increasingly prominent in malicious open-source packages. Gershon said in this case, it's one of several harmful activities, but Checkmarx researchers see more threat actors using this method as a quick way to monetize their efforts, as they wrote a few weeks ago.
“We expect this trend to continue increasing in the future,” said Gershon.