Five malicious packages were found on the Python Package Index (PyPI), stealing passwords, Discord authentication cookies, and cryptocurrency wallets from unsuspecting developers.
PyPI is a software repository for packages created in the Python programming language. As the index hosts 200,000 packages, it allows developers to find existing packages that satisfy various project requirements, saving time and effort.
Between January 27 and January 29, 2023, a threat actor uploaded five malicious packages containing the ‘W4SP Stealer’ information-stealing malware to PyPi.
While the packages have since been removed, they have already been downloaded by hundreds of software developers. These five packages and their download stats are:
- 3m-promo-gen-api – 136 downloads
- Ai-Solver-gen – 132 downloads
- hypixel-coins – 116 downloads
- httpxrequesterv2 – 128 downloads
- httpxrequester – 134 downloads
The vast majority of these downloads occurred in the first couple of days following the initial upload of the packages, which incentivizes these malicious actors to try uploading the same code onto PyPI via new packages and through a new account when they get banned.
Hiding a password-stealer
Security researchers at Fortinet discovered the packages and found that when they are installed, they attempt to steal passwords saved in browsers, cookies, and cryptocurrency wallets.
While Fortinet did not identify the type of information-stealing malware, BleepingComputer identified the malware as W4SP Stealer, which has become heavily abused in packages on PyPI.
The malware first steals data from web browsers, such as Google Chrome, Opera, Brave Browser, Yandex Browser, and Microsoft Edge.
It then attempts to steal authentication cookies from Discord, Discord PTB, Discord Canary, and the LightCord client.
Finally, the malware will attempt to steal the Atomic Wallet and Exodus cryptocurrency wallets and cookies for The Nations Glory online game, as shown below.
Additionally, the malware targets a list of websites, attempting to retrieve sensitive user information that would help its operator steal accounts.
Some of the targeted sites include:
- Coinbase.com
- Gmail.com
- YouTube.com
- Instagram.com
- PayPal.com
- Telegram.com
- Hotmail.com
- Outlook.com
- Aliexpress.com
- ExpressVPN.com
- eBay.com
- Playstation.com
- xbox.com
- Netflix.com
- Uber.com
After gathering all data it finds on the compromised machine, the malware uses its ‘upload’ function to upload the stolen data using a Discord webhook, which posts it to the threat actor’s server.
Discord webhooks allow users to send messages containing files to a Discord server and are commonly abused to steal files, Discord tokens, and other information.
.png)
Fortinet also noticed the presence of functions that check files for specific keywords and, if found, attempt to steal them using the “transfer.sh” file transfer service. The keywords relate to banking, passwords, PayPal, cryptocurrency, and multi-factor authentication files.
Of particular interest is that some of the keywords are in French, indicating that the threat actor may be from France.
The complete list of keywords targeted for data theft is listed below:
As package repositories, such as PyPi and NPM, are now commonly used to distribute malware, developers must analyze the code in packages before adding them to their projects.
If any obfuscated code or unusual behavior is present in the downloaded package, it should not be used and instead reported on the repository.
