Software program has been downloaded 30,000 occasions from PyPI-looted developer machines


Open source packages, which were estimated to have been downloaded 30,000 times from the PyPI open source repository, contained malicious code that secretly stole credit card information and credentials and injected malicious code into infected computers, researchers said Thursday.

In a post, researchers Andrey Polkovnichenko, Omer Kaspi and Shachar Menashe of devops software developer JFrog said they recently found eight packages in PyPI that were performing a range of malicious activities. Based on research on, a website that provides download statistics for Python packages, the researchers estimate that the malicious packages were downloaded about 30,000 times.

Systemic threat

The discovery is the latest in a long line of attacks over the past few years that compromised the receptivity of open source repositories that millions of software developers rely on every day. Despite their critical role, repositories often lack robust security and auditing controls, a vulnerability that can lead to serious supply chain attacks if developers unknowingly infect themselves or incorporate malicious code into the software they publish.

“The continued discovery of malicious software packages in popular repositories like PyPI is an alarming trend that can lead to widespread attacks on the supply chain,” JFrog CTO Asaf Karas wrote in an email. “The ability for attackers to inject malware using simple obfuscation techniques means developers need to be concerned and vigilant. This is a systemic threat that needs to be actively addressed on several levels, both by the maintainers of software repositories and by the developers. “

The researchers thanked the PyPI maintainer Dustin Ingram “for the quick response and removal of the malicious packets” when he was notified. Ingram did not immediately respond to a request for comment.

Different packets of Thursday’s loot performed different types of nefarious activities. Six of them had three payloads, one to collect authentication cookies for Discord accounts, a second to extract passwords or payment card details saved by browsers and the third to collect information about the infected PC, like IP addresses, computer name and username.

The remaining two packets contained malware that attempted to connect to an attacker-determined IP address on TCP port 9009 and then execute the Python code available from the socket. It is now unknown what the IP address was or whether it was hosting malware.


Like most novice Python malware, the packages just used simple obfuscation like Base64 encoders. Here is a breakdown of the packages:

Package name supervisor payload
Noble xin1111 Discord Token Stealer, Credit Card Thief (Windows based)
Genesisbot xin1111 Like nobility
are xin1111 Like nobility
To suffer To suffer Like nobility, veiled by Py armor
noblesse2 To suffer Like nobility
noblessev2 To suffer Like nobility
pytagora leonora123 Remote code injection
pytagora2 leonora123 Like Pytagora

Karas told me that the first six packages could infect the developers ‘computer, but could not infect the developers’ code with malware.

“This would be possible for both the pytagora and pytagora2 packages, which allow code to run on the machine on which they were installed,” he said in a direct message. “After infecting the development machine, they allowed the code to run and then the attacker could download a payload that modifies the software projects under development. However, we have no evidence that this was actually done. “

Beware of “Frankenstein” malware packages

Instead of spending days developing code that performs everyday tasks, programmers can instead turn to repositories like PyPI, RubyGems, or npm for mature app packages already developed by colleagues. The 2.7 million packages available on PyPI include, for example, those with which developer apps predict the selling price of a house based on data from the Internet, send e-mails via Amazon’s Simple Email Service or open source code can check for vulnerabilities. PyPI provides packages for software written in Python, while RubyGems and npm provide packages for Ruby and JavaScript apps.

This critical role makes repositories the ideal environment for supply chain attacks, which are becoming increasingly common using techniques known as typosquatting, or dependency confusion.

Attacks on repository supply chains date back at least to 2016, when a college student uploaded malicious packages to PyPI. Over a period of several months, its fraudulent code was run more than 45,000 times on more than 17,000 different domains, and more than half the time its code was given almighty administrative privileges. Since then, supply chain attacks have occurred regularly at RubyGems and npm. In the past few months, white hat hackers have invented a new type of supply chain attack that works by uploading malicious packages to public code repositories and giving them a name identical to a package that is in the internal Repository for popular software is stored. These so-called dependency confusion attacks have already caught Apple, Microsoft and 33 other companies.

The JFrog researchers said that with the current state of repository security, the internet is likely to experience more attacks in the future.

“Almost all of the code snippets analyzed in this study were based on popular public tools with only a few parameters changed,” they wrote. “The obfuscation was also based on public obfuscation. We expect more of these “Frankenstein” malware packages from various attack tools (with modified exfiltration parameters) to be put together. “