JuiceLedger Hackers Behind the Recent Phishing Attacks Against PyPI Users

More details have emerged about the operators behind the
first-known phishing campaign^[1] specifically aimed at
the Python Package Index (PyPI), the official third-party software
repository for the programming language.

Connecting it to a threat actor tracked as
JuiceLedger, cybersecurity firm SentinelOne, along
with Checkmarx, described the group as a relatively new entity that
surfaced in early 2022.

Initial “low-key” campaigns are said to have involved the use of
rogue Python installer applications to deliver a .NET-based malware
called JuiceStealer that’s engineered to siphon passwords and other
sensitive data from victims’ web browsers.

The attacks received a significant facelift last month when the
JuiceLedger actors targeted PyPi package
contributors^[2] in a phishing campaign,
resulting in the compromise of three packages with malware.

“The supply chain attack on PyPI package contributors appears to
be an escalation of a campaign begun earlier in the year which
initially targeted potential victims through fake cryptocurrency
trading applications,” SentinelOne researcher Amitai Ben Shushan
Ehrlich said^[3]
in a report.

The goal is presumably to infect a wider audience with the
infostealer through a mix of trojanized and typosquat packages, the
cybersecurity firm added.

The development adds to growing concerns^[4]
surrounding the security of the open source ecosystem, prompting
Google to take steps to announce monetary rewards^[5] for finding flaws in its
projects available in the public domain.

With account takeover attacks becoming a popular infection
vector for attackers looking to poison software supply chains, PyPI
has begun imposing a mandatory two-factor authentication (2FA)
requirement for projects deemed “critical.”

“JuiceLedger appears to have evolved very quickly from
opportunistic, small-scale infections only a few months ago to
conducting a supply chain attack on a major software distributor,”
SentinelOne said.