Cybersecurity researchers have recognized a malicious Python package deal that purports to be an offshoot of the favored requests library and has been discovered concealing a Golang-version of the Sliver command-and-control (C2) framework inside a PNG picture of the venture’s brand.
The package deal using this steganographic trickery is requests-darwin-lite, which has been downloaded 417 occasions previous to it being taken down from the Python Bundle Index (PyPI) registry.
Requests-darwin-lite “gave the impression to be a fork of the ever-popular requests package deal with just a few key variations, most notably the inclusion of a malicious Go binary packed into a big model of the particular requests side-bar PNG brand,” software program provide chain security agency Phylum mentioned.
The modifications have been launched within the package deal’s setup.py file, which has been configured to decode and execute a Base64-encoded command to collect the system’s Universally Distinctive Identifier (UUID), however solely after confirming that the compromised host is working Apple macOS.
The discovering additionally comes just a little over a month after the corporate found a rogue npm package deal named vue2util that poses as a helper utility however is designed to hold out a cryptojacking scheme and steal a sufferer’s USDT tokens.
The package deal “exploits the ERC20 contract (USDT) approval mechanism, covertly granting limitless approval to the attacker’s contract tackle, successfully permitting the attacker to empty the sufferer’s USDT tokens,” Phylum famous.
In what’s an fascinating twist, the an infection chain proceeds provided that the identifier matches a selected worth, implying that the creator(s) behind the package deal is trying to breach a particular machine to which they’re already in possession of the identifier obtained by means of another means.
This raises two prospects: Both it is a extremely focused assault or it is some form of a testing course of forward of a broader marketing campaign.
Ought to the UUID match, the requests-darwin-lite proceeds to learn knowledge from a PNG file named “requests-sidebar-large.png,” which bears similarities with the reliable requests package deal that ships with an identical file referred to as “requests-sidebar.png.”
What’s completely different right here is that whereas the true brand embedded inside requests has a file measurement of 300 kB, the one contained inside requests-darwin-lite is round 17 MB.
The binary knowledge hid within the PNG picture is the Golang-based Sliver, an open-source C2 framework that is designed for use by security professionals of their purple staff operations.
The precise finish objective of the package deal is presently unclear, however the improvement is as soon as once more an indication that open-source ecosystems proceed to be a horny vector to distribute malware.
With a overwhelming majority of codebases counting on open-source code, the regular inflow of malware into npm, PyPI, and different package deal registries, to not point out the latest XZ Utils episode, has highlighted the necessity for addressing points in a scientific method that in any other case can “derail giant swaths of the net.”