Dozens Of PyPI Packages With Info-Stealing Malware “W4SP” Were Found

PyPI, or the Python Package Index, is a massive collection of code and applications produced in the Python programming language. As with all large repositories of applications and code, a few bad apples sneak into it unnoticed from time to time. PyPI has malicious apps sneaking onto the platform despite being well-curated.

Researchers found 29 obfuscated Python packages in the PyPI registry that mimic popular libraries but instead drop the W4SP info stealer on infected machines. Other packages use GyruzPIP malware, allegedly created for “educational purposes only.”    

  • W4SP info stealer retrieves Discord tokens, cookies and saved passwords;
  • The GyruzPIP malware is based on the evil-pip open-source project, published “for educational purposes only”. GyruzPIP is designed to steal Chrome passwords, cookies, and Discord tokens and upload all collected data to the Discord webhook.

The packages contain intentional typos in the names to look like well-known Python libraries in the hope that developers trying to find the real library will make a spelling mistake and inadvertently download one of the malicious ones.

Research has shown that this threat injects malicious code into codebases from legitimate libraries. The attack starts by copying existing popular libraries and injecting a malicious “__import__” statement into the package’s healthy codebase.

In the report, the researchers explained in detail the challenges they faced in parsing obfuscated code with more than 71,000 characters.

According to stats, Phylum researchers report that all packages have been downloaded more than 5,700 times. Additionally, software developer and researcher Hauke ​​Lübbers discovered the PyPI packages “pystile” and “threadings” containing malware disguised as “GyruzPIP”.

The code in these two phishing domains is very simple to parse — each function name says what it does, such as stealing his passwords, browser cookies, and Discord tokens and uploading this data to the webhook Discord.

Lübbers, who has reported these packages to the PyPI maintainer, told BleepingComputer that for these projects to behave maliciously, they might need to be included as dependencies in the program.

PyPI is a software repository for the Python programming language. It is similar to CPAN, Perl’s repository. PyPI assists you in finding and installing software created and shared by the Python community. There are currently over 350,000 Python packages available on PyPI.

List of malicious packages found by Phylum researchers:

  1. algorithmic
  2. colorsama
  3. colorwin
  4. curlapi
  5. cypress
  6. duonet
  7. faq
  8. fatnoob
  9. felpesviadinho
  10. iao
  11. incrivelsim
  12. installpy
  13. oiu
  14. pydprotect
  15. pyhints
  16. pyptext
  17. pyslyte
  18. pystyle
  19. pystyle
  20. pyrurllib
  21. requests-httpx
  22. shaasigma
  23. strinfer
  24. stringe
  25. sutiltype
  26. twine
  27. type-color
  28. typesstring
  29. typesutil

This week’s incident is just one of several recent phishing attacks targeting developers using open-source software distribution platforms like PyPI and npm.

Meet Vishak, TechLog360's Content Editor and tech enthusiast. With a Computer Science degree and a passion for all things tech, Vishak delivers the latest in hardware, apps, and games with expertise. Trusted for his in-depth reviews and industry insights, he's your guide to the digital world. Off-duty, he's exploring photography and virtual gaming landscapes.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

More from this stream