A malicious PyPI package called “VMConnect” was found on July 28 to have been designed to strongly resemble a legitimate VMware vSphere connector module, except it hid bad code within.
In a blog post Aug. 3, Sonatype researchers said they assigned the malicious package sonatype-2023-3387. The researchers said VMConnect contains much of the same code as its legitimate VMware counterpart and has been downloaded 237 times, according to PePy.tech.
The Sonatype researchers said they reported the malicious PyPI packages to the registry administrators and they were promptly taken down. They also reached out to the user — huski502 — the name listed on both the GitHub and PyPI version of the counterfeit package. While they gave notice well before going public, the Sonatype researchers said they have not yet heard back.
While investigating the malicious PyPI package, the Sonatype researchers also said they discovered two other packages that emerged: “ethter” (253 downloads) and “quantiumbase” (216 downloads). The researchers said these other two packages bear an identical structure and technique and contain identical payload to the package in question.
“Within this brief timeframe of emerging packages, each with its distinct name and target, we discerned an ongoing campaign which we dubbed PaperPin,” wrote the Sonatype researchers. “VMware vSphere users should be diligent when it comes to obtaining the legitimate Python connector module and refer to the project’s official documentation and repo for instructions.”
Attackers know the importance of VMware vCenter and how developers interface with it, said John Bambenek, principal threat hunter at Netenrich. Bambenek said open source software libraries remain the soft underbelly to inject code into their victim’s environments.
“The visibility into this threat thankfully resulted in volunteers and security researchers paying attention and this was mitigated within three days,” said Bambenek. “We need to find a way to get this mitigated within hours or minutes.”
Scott Gerlach, co-founder and CSO at StackHawk, added that threat actors are taking advantage of open source software vulnerabilities because of the lack of resources in open source development and open source delivery chains such as PyPI. Gerlach said taking over abandoned projects, name spoofing, and malicious contributions are some ways attackers take advantage of under-resourced teams providing these pipelines.
“Organizations can start addressing this issue by contributing to open source projects with time and or money,” said Gerlach. “Providing source code contribution, code reviews, or helping with processes to protect those delivery chains can help and add much needed resources to protect these software and delivery mechanisms.”
