Twelve malicious Python libraries found and removed from PyPI
A software security engineer has identified 12 Python libraries uploaded on the official Python Package Index (PyPI) that contained malicious code. The 12 packages have been discovered in two separate scans by a security engineer who goes online by the name of Bertus, and have long been removed from PyPI before this article’s publication. All packages were put together and worked following a similar pattern.
Their creator(s) copied the code of popular packages and created a new library, but with a slightly modified name. For example, four packages (diango, djago, dajngo, djanga) were misspellings of Django, the name of a very popular Python framework. The people behind these malicious packages added malicious code to these newly-created, but fully functional projects, and more specifically to the setup.py files.
Setup.py files contain a set of instructions that Python library installers like ‘pip’ execute automatically when downloading and setting up a new package inside a Python project. The nature of this extra code was to perform various malicious operations and varied per each malicious library. Bertus discovered a first set of 11 malicious packages on October 13 (see table below), and another malicious package on October 21.
The first set of malicious libraries would attempt to either collect data about each infected environment, obtain boot persistence, or even open a reverse shell on remote workstations.