29 malicious PyPI packages spotted delivering the W4SP Stealer

Cybersecurity researchers discovered 29 malicious PyPI packages delivering the W4SP stealer to developers’ systems.

Cybersecurity researchers have discovered 29 packages in the official Python Package Index (PyPI) repository designed to infect developers’ systems with an info-stealing malware dubbed W4SP Stealer.

“It appears that these packages are a more sophisticated attempt to deliver the W4SP Stealer on to Python developer’s machines by hiding a malicious import” states security firm Phylum. “Similar to this attacker’s previous attempts, this particular attack starts by copying existing popular libraries and simply injecting a malicious import statement into an otherwise healthy codebase.”

The attack started around October 12, 2022 and peaked on October 22. The malicious import was simply injected into either the setup.py or the init.py in the majority of packages, especially the earlier ones.

Threat actors changed tactics over the time and started taking advantage of Python’s seldomly used semicolon to hide the malicious code onto the same line as other legitimate code.

The researchers also observed the attacker attempting to evade detection without using the import statement in a few packages. In these cases, attackers used the setup.py file to try and pip install one of the other malicious packages that did have the malicious code.

Below is a list of the suspicious packages discovered by the experts:

typesutil
typestring
sutiltype
duonet
fatnoob
strinfer
pydprotect
incrivelsim
twyne
pyptext
installpy
faq
colorwin
requests-httpx
colorsama
shaasigma
stringe
felpesviadinho
cypress
pystyte
pyslyte
pystyle
pyurllib
algorithmic
oiu
iao
curlapi
type-color
pyhints

Collectively, the above packages have totaled more than 5,700 downloads.

“As this is an ongoing attack with constantly changing tactics from a determined attacker, we suspect to see more malware like this popping up in the near future” Phylum concludes.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Log4Shell)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.