Connect with us

Hi, what are you looking for?

Cyber Security

PyPI package ‘keep’ mistakenly included a password stealer

PyPI packages ‘keep,’ ‘pyanxdns,’ ‘api-res-py’ were found to be containing a backdoor due to the presence of malicious ‘request’ dependency within some versions.

For example, while most versions of ‘keep’ project use the legitimate Python module requests for making HTTP requests, ‘keep’ v.1.2 contains ‘request’ (without s) which is malware.

BleepingComputer reached out to the authors of each of these packages to understand if this was caused by a mere typographical error,  self-sabotage, or by maintainer accounts getting hijacked.

PyPI package ‘keep’ uses malicious ‘request’

Some versions of PyPI packages, ‘keep,’ ‘pyanxdns,’ and ‘api-res-py’ were caught using a malicious dependency, ‘request,’

Back in May, GitHub user duxinglin1 noticed the vulnerable versions contained the misspelled ‘request’ dependency, as opposed to the legitimate requests library.

As such, the following CVEs have been assigned this week with regards to the vulnerable versions:

  • CVE-2022-30877 – ‘keep’ version 1.2 contains the backdoor ‘request’, contrary to what the advisory implies.
  • CVE-2022-30882 – ‘pyanxdns’ version 0.2 impacted
  • CVE-2022-31313 – ‘api-res-py’ version 0.1 impacted

Although ‘pyanxdns’ and ‘api-res-py’ might be small scale projects,  the ‘keep’ package, in particular, gets downloaded over 8,000 times in a week on average—with its version 1.2 using the malicious dependency:

PyPI keep package homepage
Version 1.2 of PyPI package ‘keep’ contains a reference to malicious ‘request’ dependency
pypi package keep uses request as a dependency
Usage of malicious ‘request’ dependency in ‘keep’ version 1.2 (BleepingComputer)

Back in 2020, Tencent Onion Anti-Intrusion System discovered a malicious typosquat ‘request’ uploaded to the PyPI registry which impersonated the requests HTTP library but instead dropped malicious info-stealers.

“We found a malicious backdoor in version 1.2 of this project, and its malicious backdoor is the request package. Even if the request package was removed by PyPI, many mirror sites did not completely delete this package, so it could still be installed,” writes GitHub user duxinglin1.

The malicious code inside the counterfeit ‘request’ is highlighted below:

Inside counterfeit PyPI package request
Inside counterfeit PyPI package ‘request’ (BleepingComputer)

Line 57 contains a base64-encoded URL to the ‘check.so’ malware shown below. Threat intel analyst blackorbird additionally identified another URL (x.pyx), also shown below, associated with the counterfeit ‘request’ dependency:

http://dexy[.]top/request/check.so
http://dexy[.]top/x.pyx

The file ‘check.so’ delivers a Remote Access Trojan (RAT), whereas ‘x.pyx’ obtained by BleepingComputer contains info-stealing malware that steals cookies and personal information from web browsers such as Chrome, Firefox, Yandex, Brave, and many more:

x.pyx file contents
x.pyx file contents decoded by BleepingComputer (BleepingComputer)

The info-stealing trojan will attempt to steal login names and passwords stored in web browsers.

After obtaining access to user credentials, threat actors can then attempt to compromise other accounts used by the developer, potentially leading to even further supply-chain attacks.

Hijack or a genuine typo?

The presence of a malicious dependency in multiple PyPI packages does raise a crucial  question—how did this occur?

BleepingComputer reached out to the authors of each of these packages to understand if this was caused by a mere typographical error,  self-sabotage, or by maintainer accounts getting hijacked.

We heard back from the author and maintainer of ‘pyanxdns’, Marky Egebäck, who confirms this is resulting from a typographical error rather than an account compromise.

And, from the looks of it, it appears the authors of other two packages also inadvertently introduced ‘request’ as opposed to the legitimate ‘requests’ due to an innocent typing mistake.

Advertisement. Scroll to continue reading.

“Sorry to say by a simple typo in the setup.py file since git history shows that this was added when the install_requires was added by me,” Egebäck told BleepingComputer.

The developer has since reuploaded a new version to PyPI and deleted the version referencing the malicious “request” dependency.

“This was [an] honest mistake based on a typo in the setup.py. I generally don’t publish things on PyPI but I made this quickly for a friend and myself. Not sure if he as promoted this but the purpose was mainly for personal use in [an] internal docker project,” says Egebäck.

Egebäck appreciated GitHub user duxinglin1 for highlighting the presence of the malicious dependency in his project and explained how he hasn’t spent much time in maintaining the contributed Python project lately:

“What can of course have been done a lot better would have been to have fixed this earlier but did not understand the severity of it and since I put very little time sadly [nowadays] with coding it took a long time,” says Egebäck.

When coding applications, innocent typing mistakes on the developer’s part can inadvertently lend success to typosquatting attacks that count on such exact slip ups to compromise the broader software supply chain.

Although in this case, the malicious ‘request’ dependency has long been removed from the PyPI registry, anybody using a vulnerable version of the PyPI packages and relying on a mirror to fetch dependencies can end up with malicious info-stealers on their system.

Source: https://www.bleepingcomputer.com/news/security/pypi-package-keep-mistakenly-included-a-password-stealer/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Telegram Messenger offers global, cloud-based instant messaging with several features:- Cybersecurity researchers at Securlist recently found several Telegram mods on Google Play in various...

Cyber Security

AttackCrypt, an open-source “crypter,” was recently used by cybercriminals to hide malware binaries and avoid antivirus detection. A crypter is a kind of software that can...

Cyber Security

We are glad to present the most recent news on cybersecurity in this week’s Threat and Vulnerability Roundup from Cyber Writes.  The latest attack...

Cyber Security

The cybercrime group evaded remediation efforts by installing persistent backdoors and deploying “new and novel malware.” A Chinese-linked hacking group that security researchers say...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO