Published on June 3rd, 2024
A recent discovery in the Python Package Index (PyPI) repository has cybersecurity experts issuing warnings about a new malicious Python package designed to facilitate cryptocurrency theft within a broader cyber campaign.
The Malicious Package: pytoileur
The malicious package, named pytoileur, has garnered attention after being downloaded 316 times.
It’s author, known as PhilipsPY, uploaded version 1.0.2 of the package following the removal of version 1.0.1 by PyPI maintainers on May 28, 2024.
Analysis Of Malicious Code
Security firm Sonatype conducted an analysis revealing that the package’s setup.py script embeds malicious code, capable of executing a Base64-encoded payload.
This payload retrieves a Windows binary named ‘Runtime.exe’ from an external server, which is then executed using Windows PowerShell and VBScript commands.
Impact Of The Malware
Once installed, the binary establishes persistence and deploys additional payloads, including spyware and a stealer malware designed to gather data from web browsers and cryptocurrency services.
Propagation Through Stack Overflow
Sonatype also identified a Stack Overflow account named “EstAYA G,” which directed users to install the rogue pytoileur package as a solution to their queries.
This manipulation of a reputable platform for malware propagation is a concerning escalation.
Response From Stack Overflow
Upon investigation, Stack Overflow’s Trust & Safety team suspended the offending account and removed the violating content from the platform.
Connection To Prior Campaigns
Further examination of the package metadata and authorship history revealed similarities with previous campaigns involving bogus Python packages such as Pystob and Pywool, disclosed by Checkmarx in November 2023.
Supply Chain Attacks In Open-Source Ecosystems
These findings underscore the ongoing threat posed by malicious actors targeting open-source ecosystems.
Such attacks, including the deployment of information stealers like Bladeroid, exploit vulnerabilities in the software supply chain to compromise multiple targets simultaneously.
