Entry points threaten multiple open-source ecosystems

Sign illustrating how vulnerabilities with entry points can be exploited by hackers to threaten open-source packages of multiple programming ecosystems.

While current tools have improved at detecting common tactics for exploiting open-source packages, a feature remains largely overlooked: entry points.

Security researchers at Checkmarx uncovered how attackers can leverage entry points across multiple programming ecosystems, with a particular focus on PyPI, to trick victims into running malicious code. This method – while not allowing for immediate system compromise – offers a subtler approach for patient attackers to...

14 October 2024 | Developer

Sonatype exposes malicious PyPI package ‘pytoileur’

Sonatype has exposed 'pytoileur', a malicious PyPI package designed to download and install trojanised Windows binaries capable of surveillance, commandeering persistence, and stealing cryptocurrency. This discovery is part of a broader, months-long "Cool package" campaign aimed at infiltrating the coding community.

Yesterday, an automated malware detection system operated by Sonatype, known as the Sonatype Repository Firewall, flagged a newly published PyPI package called...

29 May 2024 | Hacking & Security

Phylum uncovers targeted malware disguised in Python package

Phylum’s cybersecurity experts have detected a malicious payload embedded within a popular Python package on the PyPI repository. The package, named requests-darwin-lite, is an unauthorised variant of the widely-used requests library.

The requests-darwin-lite package was cleverly designed to emulate its legitimate counterpart but included a Go binary concealed within an oversized image file pretending to be a simple logo. This file – a PNG labelled as a sidebar image –...

13 May 2024 | Hacking & Security

PyPI suspends registrations amid malware attack

The Python Package Index (PyPI) has suspended new project creation and user registration to mitigate an ongoing malware upload campaign. This move comes as security researchers at Checkmarx uncovered a campaign involving multiple malicious packages related to the same threat actors.

The attackers are targeting victims through typosquatting attacks, tricking users into installing malicious Python packages through their command-line interface. This multi-stage attack aims to steal...

28 March 2024 | Developer

Python packages caught using DLL sideloading to bypass security

ReversingLabs researchers have uncovered Python packages using DLL sideloading to bypass security tools.

On 10 January 2024, Karlo Zanki, a reverse engineer at ReversingLabs, stumbled upon two suspicious packages on the Python Package Index (PyPI). These packages – named NP6HelperHttptest and NP6HelperHttper – were found to be utilising DLL sideloading, a known technique used by malicious actors to execute code discreetly and evade detection from security tools.

This...

21 February 2024 | Hacking & Security

Open source wins concessions in new EU cyber law

The European Cyber Resilience Act (CRA) has undergone substantial revisions, bringing relief to the open-source community.

Back in April, the Python Software Foundation (PSF) had expressed concerns about potential repercussions for CPython and PyPI if the initial form of CRA were to be enacted.

The primary worry was that, in the course of providing open-source software, the PSF and the Python community might assume legal responsibility for security issues in products...

15 January 2024 | Open Source

Malicious PyPI package discovered in ongoing ‘PaperPin’ campaign

In a recent analysis conducted by Sonatype, a malicious Python Package Index (PyPI) package named 'VMConnect' was discovered masquerading as the legitimate VMware vSphere connector module 'vConnector'.

The counterfeit package was found to contain sinister code designed to compromise users' systems. Further investigation revealed an ongoing campaign involving additional packages like "ethter" and "quantiumbase," all sharing the same structure and payload.

The 'VMConnect'...

4 August 2023 | Hacking & Security

Sonatype uncovers further malicious PyPI and npm packages

Sonatype continues to uncover a significant number of malicious packages within the PyPI and npm software registries.

Among the flagged packages were several Python packages published on PyPI, masquerading as legitimate libraries named after the popular npm "colors" library.

The malicious packages, including names such as "broke-rcl," "brokescolors," and "trexcolors," exclusively targeted the Windows operating system. Once installed, these packages would initiate the...

23 June 2023 | Developer

PyPI suspends new projects and users due to malicious activity

The PyPI (Python Package Index) team has temporarily suspended new projects and users on their platform due to malicious activity.

This surge in malicious activity aligns with a larger trend observed across several open-source registries in recent months. Notably, incidents such as the flood of malicious packages on the NPM JavaScript package manager and a similar attack on the Nuget package manager last year, involving over 140,000 malicious packages, have highlighted the...

22 May 2023 | Hacking & Security

PyPI will sell ‘Organization’ accounts to corporate projects

Python Packaging Index (PyPI) has announced the introduction of ‘Organization’ accounts, as the first step in its plan to build financial support and long-term sustainability.

Organizations on PyPI are self-managed teams with exclusive branded web addresses. PyPI aims to make its platform easier to use for large community projects, organisations, or companies that manage multiple sub-teams and packages.

Notably, community projects can access the new accounts for...

24 April 2023 | Developer