The maintainers of Python Package Index (PyPI), the Python software repository, have temporarily disabled the sign up and package upload processes due to an ongoing attack.
The maintainers opted to disable the above functionalities because they have observed a spike in the creation of malicious users and projects on the index in the past week.
“New user and new project name registration on PyPI is temporarily suspended. The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave.” reads the Incident Report for Python Infrastructure published by the maintainers. “While we re-group over the weekend, new user and new project registration is temporarily suspended.”
The announcement doesn’t provide details about the attacks, such as the threat actors, their motivations and the malicious codes employed in the attacks.
The threat actors publish malicious packages to the PyPI repository and attempt to trick developers into using them using social engineering tricks, such as intentional typos in their names and high version numbers.
The repository is a privileged target for threat actors that aim to carry out supply chain attacks aimed at developers.
This week, ReversingLabs researchers warned of the presence of two malicious packages, respectively named nodejs-encrypt-agent and nodejs-cookie-proxy-agent, in the npm package repository containing an open-source info-stealer called TurkoRat.
TurkoRat is an information-stealing malware that can obtain a broad range of data from the infected machine, including account login credentials, cryptocurrency wallets, and website cookies. The malware also supports anti-sandbox and analysis functionalities to avoid detection and prevent being analyzed.
In February, Phylum researchers spotted more than 451 unique Python packages on the PyPI repository in an attempt to deliver clipper malware on the developer systems.
According to the experts, the activity is still ongoing and is part of a malicious campaign that they discovered on November 2022.
We are in the final
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, supply chain attacks)