Check Your Code: Malicious PyPI Packages Target Developers’ Data and Cryptocurrency
Cybersecurity company ESET has discovered a set of 116 malicious packages in the Python Package Index (PyPI) repository. These packages are designed to infect Windows and Linux systems using a specialized backdoor. In some cases, the final payload is a variant of the W4SP Stealer infostealer, a simple clipboard monitor for stealing cryptocurrency, or both. Since May 2023, these packages have reportedly been downloaded over 10,000 times.
The attackers behind this campaign used three main methods to embed malicious code into Python packages:
- Using a
test.pyscript - Embedding PowerShell commands in the
setup.pyfile - Including obfuscated code in the
__init__.pyfile
Regardless of the method, the ultimate goal is to infect the target host with malware, primarily a backdoor capable of remotely executing commands, stealing data, and taking screenshots. The backdoor module is implemented in Python for Windows and in Go for Linux.
Additionally, the attack chains often end with the deployment of W4SP Stealer or a clipboard hijacker (clipper), which closely monitors the victim’s clipboard and replaces copied wallet addresses with the attacker’s address.
This campaign is the latest in a series of compromised Python packages released by threat actors to undermine the open-source ecosystem and spread malware for supply chain attacks. As a result, Python developers are strongly advised to carefully review any code they download before installing it on their systems.
Previously, we reported on malicious packages in the PyPI repository. For example, five packages discovered at the end of January contained the W4SP Stealer infostealer. In November, it was revealed that packages disguised as popular Python libraries attracted thousands of downloads worldwide, including in the US and China. During this wave of infections, both data and cryptocurrency belonging to IT professionals were stolen.