Following news that threat analysts have discovered ten malicious Python packages on the PyPI repository, used to infect developer's systems with password-stealing malware (10 malicious PyPI packages found stealing developer's credentials (bleepingcomputer.com)), Henning Horst, Chief Technology Officer at comforte AG, explains the risks of password-stealing malware:
Malware is a common tool threat actors use to steal credentials and sensitive information. There is a broad range of malware families out there that do everything from secretly capturing users' movements to locking up systems. Organizations must mitigate such risks through constant backup to ensure data can be restored rapidly if it is locked, and also utilize proven data-centric security to foil the attack itself. If data is neutralized using modern data-centric techniques – such as tokenization or format-preserving encryption - that enable data use and data analytics in the enterprise while protected while restricting access to the minimum live data, attackers will get the equivalent of digital coal, not data gold.
Victor Acin, Labs Manager at Outpost24, adds more about the history of these attacks:
Using fake packages to distribute malware is something that has been around for a long time, as typically package distribution sites, specially for python, lack any sort of proper control mechanisms, as any user can upload a new package as long as the name hasn’t been used before.
In this talk at RootedCon, two analysts were able to infect more than 800 devices in a “Whitehat” exercise by doing exactly what the article you mentioned describes, uploading modified packages with slight name changes (for example creating the package “reqeusts” to trick users looking for the package “requests”: https://www.slideshare.net/
It’s not surprising though that this technique is becoming more “mainstream” after recent incidents came to light where actual developers of these packages sabotaged them in a hacktivist attempt to bring attention to social or political issues: https://www.bleepingcomputer.
Interestingly enough, some companies are starting to take measures to prevent these types of incidents. For example, github, a Microsoft company, is implementing code signing to help prevent supply chain attacks trying to infect the repositories hosted in the platform: https://www.wired.com/story/
Martin Jartelius, Chief Security Officer of Outpost24, explains further about these types of attacks:
This is recurring problem, we have seen both incidents based on this form or typosquatting attacks as well as incidents based on intentional or accidental breaches of security in open source supersede chains – essentially it is a risk that comes native to the idea of using someone else's code as an integral part of your own. You invest trust in an unknown individual or group, and pass that on to those in turn depending on you. Most of the time it works out great, but you must always judge the risk, and as here, even after doing so ensure to be thorough.