29 malicious PyPI packages spotted delivering the W4SP Stealer

Cybersecurity researchers discovered 29 malicious PyPI packages delivering the W4SP stealer to developers’ systems.

Cybersecurity researchers have discovered 29 packages in the official Python Package Index (PyPI) repository designed to infect developers’ systems with an info-stealing malware dubbed W4SP Stealer.

“It appears that these packages are a more sophisticated attempt to deliver the W4SP Stealer on to Python developer’s machines by hiding a malicious import” states security firm Phylum. “Similar to this attacker’s previous attempts, this particular attack starts by copying existing popular libraries and simply injecting a malicious import statement into an otherwise healthy codebase.”

The attack started around October 12, 2022 and peaked on October 22. The malicious import was simply injected into either the setup.py or the init.py in the majority of packages, especially the earlier ones.

Threat actors changed tactics over the time and started taking advantage of Python’s seldomly used semicolon to hide the malicious code onto the same line as other legitimate code.

The researchers also observed the attacker attempting to evade detection without using the import statement in a few packages. In these cases, attackers used the setup.py file to try and pip install one of the other malicious packages that did have the malicious code.

Below is a list of the suspicious packages discovered by the experts:

• typesutil
• typestring
• sutiltype
• duonet
• fatnoob
• strinfer
• pydprotect
• incrivelsim
• twyne
• pyptext
• installpy
• faq
• colorwin
• requests-httpx
• colorsama
• shaasigma
• stringe
• felpesviadinho
• cypress
• pystyte
• pyslyte
• pystyle
• pyurllib
• algorithmic
• oiu
• iao
• curlapi
• type-color
• pyhints

Collectively, the above packages have totaled more than 5,700 downloads.

“As this is an ongoing attack with constantly changing tactics from a determined attacker, we suspect to see more malware like this popping up in the near future” Phylum concludes.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Log4Shell)

[adrotate banner=”5″]

[adrotate banner=”13″]