U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Experts discover over 451 clipper malware-laced packages in the PyPI repository

Threat actors published more than 451 unique malware-laced Python packages on the official Python Package Index (PyPI) repository. Phylum researchers spotted more than 451 unique Python packages on the official Python Package Index (PyPI) repository in an attempt to deliver clipper malware on the developer systems. According to the experts, the activity is still ongoing […]

clipper malware

Threat actors published more than 451 unique malware-laced Python packages on the official Python Package Index (PyPI) repository.

Phylum researchers spotted more than 451 unique Python packages on the official Python Package Index (PyPI) repository in an attempt to deliver clipper malware on the developer systems.

According to the experts, the activity is still ongoing and is part of a malicious campaign that they discovered on November 2022.

Threat actors have typosquatted several major packages in PyPI such as:

  • bitcoinlib
  • ccxt
  • cryptocompare
  • cryptofeed
  • freqtrade
  • selenium
  • solana
  • vyper
  • websockets
  • yfinance
  • pandas
  • matplotlib
  • aiohttp
  • beautifulsoup
  • tensorflow
  • selenium
  • scrapy
  • colorama
  • scikit-learn
  • pytorch
  • pygame
  • pyinstaller

The researchers reported that the attackers are trying to register the same code in every possible simple typo of a package name. The process is simple and easy to automate.

Phylum pointed out that the obfuscation technique used in these packages is significantly different from the packages they have spotted in November 2022. 

Upon installing a malicious package, a JavaScript file is dropped to the system and executed in the background of any web browsing session allowing to replace a cryptocurrency address with the attacker’s address every time a developer copies it.

“Ultimately, this code is attempting to do exactly what we discovered in November’s blog post and that is quietly replace any crypto wallet address copied to the user’s clipboard with the attacker’s controlled wallet addresses.” reads the analysis published by Phylum. “It does that by creating a browser extension and then writes the following JavaScript to that extension:”

The malware establishes persistence by instructing the developer’s browser(s) to load this extension anytime a browser is opened.

The clipper malware targets popular web browsers, including Google Chrome, Microsoft Edge, Brave, and Opera. The malware modifies browser shortcuts to load the extension by launching the software with “–load-extension” command line.

“This attacker significantly increased their footprint in pypi through automation. Flooding the ecosystem with packages like this will continue.” concludes the report.”The use of Chinese characters, or any other Unicode plane for that matter, is an easy misdirection to detect and to dismiss.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, clipper malware)