The Python Package Index (PyPI) maintainers have temporarily disabled the sign up and package upload processes due to an ongoing attack.
The maintainers of Python Package Index (PyPI), the Python software repository, have temporarily disabled the sign up and package upload processes due to an ongoing attack.
The maintainers opted to disable the above functionalities because they have observed a spike in the creation of malicious users and projects on the index in the past week.
The announcement doesn’t provide details about the attacks, such as the threat actors, their motivations and the malicious codes employed in the attacks.
The threat actors publish malicious packages to the PyPI repository and attempt to trick developers into using them using social engineering tricks, such as intentional typos in their names and high version numbers.
The repository is a privileged target for threat actors that aim to carry out supply chain attacks aimed at developers.
This week, ReversingLabs researchers warned of the presence of two malicious packages, respectively named nodejs-encrypt-agent and nodejs-cookie-proxy-agent, in the npm package repository containing an open-source info-stealer called TurkoRat.
TurkoRat is an information-stealing malware that can obtain a broad range of data from the infected machine, including account login credentials, cryptocurrency wallets, and website cookies. The malware also supports anti-sandbox and analysis functionalities to avoid detection and prevent being analyzed.
According to the experts, the activity is still ongoing and is part of a malicious campaign that they discovered on November 2022.
[출처 : SecurityAffairs / 5.21.]