#InfoSec FYI: There's a massive #typosquatting campaign targeting PyPI. Someone's clearly reached the automation section of "Black Hat Python"
This is the same actor as highlighted by Phylum yesterday - currently they're pushing a cryptostealer everywhere they can, but who knows what's next.
Recently, they've started typosquatting the following packages (& showing example typosquat):
* xlsxwriter (ex. xlsxwwriter)
* urllib3 (rllib3)
* simplejson (simplejsn)
* requests-toolbelt (requests-toollbelt)
* discord-webhook (disocrd-webhook)
* discord-py (discod-py)
* websocket-client (weebsocket-client)
* openpyxl (oepnpyxl)
* pillow (pilloow)
* click (clickk)
* pysocks (ysocks)
* psutil (psuil)
* gitpython (gitpythn)
* pycodestyle (pycodestye)
* prompt-toolkit (prompt-toolkiit)
* beautifulsoup (baeutifulsoup)
Edit: PyPI has removed the above!
If your company uses your own PyPI mirror, I'd recommend disallowing new packages released within the past ~week (as a general precaution, tbh).
@tweedge wouldn't it make sense for PyPi and other registries to allow only names for new packages with a certain minimum Levenshtein distance to all other existing packages?
@eliasp IIRC PyPI was doing this (or something similar) but it's either a. disabled due to an excess of false positives or b. restricted to only some of the top packages
@Taniwha @eliasp source is me (though I'm sure I'm not the only one who saw this)
PyPI removed the named packages already, yay, so unfortunately can't show them off anymore. I have copies though :)
Here's Phylum's blog post about this threat actor yesterday: https://blog.phylum.io/phylum-discovers-revived-crypto-wallet-address-replacement-attack
@tweedge Nice. thanks for sharing, as well as the original article link. In the packages you downloaded, did you find any Internet IOCs? Wondering if we can see the post-install behavior and connect things. We have typosquat detectors for domains, but this is an interesting twist. I know i've installed the wrong package before because of some small difference in the name. Nice report by Phylum too.
@knitcode Hmm, the browser extension that this creates could be worth extracting and reporting, though I've honestly struggled to see results with highlighting malware on VT, even boosting via Twitter and Reddit, etc. No external communication is needed by this malware so no domains/IPs/etc. to block :(