Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

Python Developers Beware: Clipper Malware Found in 450+ PyPI Packages!

Feb 14, 2023Ravie LakshmananCryptocurrency / Software Security

Clipper Malware

Malicious actors have published more than 451 unique Python
packages on the official Python Package Index (PyPI) repository in
an attempt to infect developer systems with clipper malware[1].

Software supply chain security company Phylum, which spotted the libraries[2], said the ongoing
activity is a follow-up to a campaign that was initially disclosed
in November 2022.

The initial vector entails using typosquatting[3]
to mimic popular packages such as beautifulsoup, bitcoinlib,
cryptofeed, matplotlib, pandas, pytorch, scikit-learn, scrapy,
selenium, solana, and tensorflow, among others.

“After installation, a malicious JavaScript file is dropped to
the system and executed in the background of any web browsing
session,” Phylum said[4]
in a report published last year. “When a developer copies a
cryptocurrency address, the address is replaced in the clipboard
with the attacker’s address.”

This is achieved by creating a Chromium web browser extension in
the Windows AppData folder and writing to it the rogue Javascript
and a manifest.json file[5]
that requests users’ permissions to access and modify the
clipboard.

Clipper Malware

Targeted web browsers include Google Chrome, Microsoft Edge,
Brave, and Opera, with the malware modifying browser shortcuts to
load the add-on automatically upon launch using the
“–load-extension” command line switch.

The latest set of Python packages exhibits a similar, if not the
same, modus operandi, and is designed to function as a
clipboard-based crypto wallet replacing malware. What’s changed is
the obfuscation technique used to conceal the JavaScript code.

The ultimate goal of the attacks is to hijack cryptocurrency
transactions initiated by the compromised developer and reroute
them to attacker-controlled wallets instead of the intended
recipient.

“This attacker significantly increased their footprint in pypi
through automation,” Phylum noted. “Flooding the ecosystem with
packages like this will continue.”

The findings coincide with a report[6]
from Sonatype, which found 691 malicious packages in the npm
registry and 49 malicious packages in PyPI during the month of
January 2023 alone.

The development once again[7]
illustrates the growing threat[8]
developers face from supply chain attacks, with adversaries relying
on methods like typosquatting to trick users into downloading
fraudulent packages.

Found this article interesting? Follow us on Twitter [9]
and LinkedIn[10] to read more exclusive
content we post.

References

  1. ^
    clipper
    malware     (thehackernews.com)
  2. ^
    spotted
    the libraries     (blog.phylum.io)
  3. ^
    typosquatting
    (thehackernews.com)
  4. ^
    said
    (blog.phylum.io)
  5. ^
    manifest.json file
    (developer.chrome.com)
  6. ^
    report
    (blog.sonatype.com)
  7. ^
    once
    again     (thehackernews.com)
  8. ^
    growing
    threat     (blog.sonatype.com)
  9. ^
    Twitter
     (twitter.com)
  10. ^
    LinkedIn
    (www.linkedin.com)

Read more