Cybersecurity researchers have discovered malicious packages in the open-source Python Package Index (PyPI) repository that deliver a type of malware called “Information Stealer.” white snake thief on Windows systems.
The malware-containing packages are named nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111. They were uploaded by a threat actor known as “WS”.
“These packages incorporate Base64-encoded PE source code or other Python scripts in their setup.py files,” Fortinet FortiGuard Labs said in an analysis published last week.
“Depending on the victim device’s operating system, the final malicious payload is dropped and executed when these Python packages are installed.”
While Windows systems were infected with WhiteSnake Stealer, infected Linux hosts received Python scripts designed to gather information. The campaign, which targets Windows users, overlaps with previous campaigns disclosed by JFrog and Checkmarx last year.
“The Windows-specific payload was identified as […] The WhiteSnake malware has an Anti-VM mechanism, uses the Tor protocol to communicate with the C&C server, and can steal the victim’s information and execute commands,” JFrog pointed out in April 2023.
It is also designed to extract data from web browsers, cryptocurrency wallets and applications such as WinSCP, CoreFTP, Windscribe, Filezilla, AzireVPN, Snowflake, Steam, Discord, Signal and Telegram.
Checkmarx is tracking the threat actors behind a campaign dubbed PYTA31 and says the ultimate goal is to steal sensitive data from target computers, specifically encrypted wallet data.
It has also been observed that some newly released rogue software packages contain Clipper functionality, which can overwrite the clipboard contents with a wallet address owned by the attacker to perform unauthorized transactions. Others have been configured to steal data from browsers, applications and encrypted services.
Fortinet said the discovery “demonstrates the ability of a single malware author to spread a large number of information-stealing malware packages into the PyPI repository over time, each with a different complex payload.”
The revelation comes as ReversingLabs discovered that two malicious packages in the npm package registry leveraged GitHub to store Base64-encrypted SSH keys stolen from the systems of the developers who installed them.
