cybersecurity.theater is one of the many independent Mastodon servers you can use to participate in the fediverse.
Taking the "Twitter" out of "InfoSec Twitter."

Administered by:

Server stats:

3
active users

Chris Partridge

FYI: There's a massive campaign targeting PyPI. Someone's clearly reached the automation section of "Black Hat Python" 🙄

This is the same actor as highlighted by Phylum yesterday - currently they're pushing a cryptostealer everywhere they can, but who knows what's next.

Recently, they've started typosquatting the following packages (& showing example typosquat):
* xlsxwriter (ex. xlsxwwriter)
* urllib3 (rllib3)
* simplejson (simplejsn)
* requests-toolbelt (requests-toollbelt)
* discord-webhook (disocrd-webhook)
* discord-py (discod-py)
* websocket-client (weebsocket-client)
* openpyxl (oepnpyxl)
* pillow (pilloow)
* click (clickk)
* pysocks (ysocks)
* psutil (psuil)
* gitpython (gitpythn)
* pycodestyle (pycodestye)
* prompt-toolkit (prompt-toolkiit)
* beautifulsoup (baeutifulsoup)

Edit: PyPI has removed the above!

If your company uses your own PyPI mirror, I'd recommend disallowing new packages released within the past ~week (as a general precaution, tbh).

@tweedge wouldn't it make sense for PyPi and other registries to allow only names for new packages with a certain minimum Levenshtein distance to all other existing packages?

@eliasp IIRC PyPI was doing this (or something similar) but it's either a. disabled due to an excess of false positives or b. restricted to only some of the top packages

@tweedge @eliasp where did the information come from? Or is there any public source yet? Can’t find anything public yet.

@Taniwha @eliasp source is me (though I'm sure I'm not the only one who saw this)

PyPI removed the named packages already, yay, so unfortunately can't show them off anymore. I have copies though :)

Here's Phylum's blog post about this threat actor yesterday: blog.phylum.io/phylum-discover

blog.phylum.ioPhylum Discovers Revived Crypto Wallet Address Replacement AttackPhylum discovers over 200 unique malicious packages targeting popular PyPI packages like Selenium.

@tweedge Nice. thanks for sharing, as well as the original article link. In the packages you downloaded, did you find any Internet IOCs? Wondering if we can see the post-install behavior and connect things. We have typosquat detectors for domains, but this is an interesting twist. I know i've installed the wrong package before because of some small difference in the name. Nice report by Phylum too.

@knitcode Hmm, the browser extension that this creates could be worth extracting and reporting, though I've honestly struggled to see results with highlighting malware on VT, even boosting via Twitter and Reddit, etc. No external communication is needed by this malware so no domains/IPs/etc. to block :(