Researchers from Phylum have found nearly 30 malicious packages in Python Package Index (PyPI) that attempt to infect developers’ systems with the W4SP Stealer Trojan. The packages are clones of popular software packages with names that make them seem legitimate. The malicious packages have been downloaded 5,700 times.
The attackers used various techniques to import their Trojan by modifying the init.py or setup.py script, which are subtle and hard to spot. That import statement creates a temporary file which is executed, downloading obfuscated code from multiple sites which contains a compressed object which is, actually, the W4SP Stealer, which is designed to steal information from users’ systems including browser passwords, crypto wallets and interesting files with financial related information.