- The researchers found three malicious pypi packages, two target Bitcoin developers and a WooCommerce store
- Two are designed to steal data, and the third to test valid credit cards
- The three have since been removed from the repository
Several open source software packages on the Python Package Index (Pypi) benchmark have proven malicious, probably compromising thousands of devices, have warned experts.
Researchers in Cybersecurity in Reversinglabs have found two malicious packages, “Bitcoinlibdbfix” and “Bitcoinlib-Dev”, which cumulatively 2,000 downloads.
They claim to be a corrective for a legitimate python module called “bitcoinlib”, which contains features for creating and managing cryptocurrency.
WooCommerce stores are also attacked
Recently, the community has discussed a problem related to how the package generates error messages.
The crooks have seen this as an opportunity, created the two malicious and jumped in the conversation to try to distribute them. This does not seem to have worked: “The malicious content of this library was detected by the contributors to the package and the comments have been deleted,” said Arox.
The two libraries have attempted a similar attack, the researchers said. The idea was to crush the legitimate command “CLW Cli” with malicious code, exfiltrating sensitive database files.
At the same time, socket researchers have found a third package, which does not target Bitcoin developers, but rather WooCommerce stores. In addition, this package does not even try to hide its true intentions and is in the “openly malicious” place. Although it is obvious malicious software, he still managed to ratify the downloads of 37,217.
Malware is called “disgraphya” and operates as a fully automated carding script. “The malicious payload was introduced in version 7.36.9, and all subsequent versions carried the same integrated attack logic,” said Socket.
Carding is a type of cybercrime where stolen credit card information is used to make purchases or unauthorized tests if the card is still active. Since criminals often buy these details from the Dark Web card, the one who built and distributed Disgrasya could have benefited greatly.
Via The Hacker News
