Security researchers highlight another scam that has become popular among hackers over the past few years. Infected code packages with malicious command lines serve as shock troops.
Check Point Software's research department warns all IT security personnel about fraudulent code packages. This scam can be counted among the supply chain attacks and value chain attacks, which have increased significantly. Cyber criminals try to penetrate the systems of entrepreneurs and private individuals in various ways, and code packages are the new vehicle of hackers.
Code packages as vehicles
Over the last few years, criminals have increasingly misused them for their purposes: either smuggling malicious command lines into genuine code packages distributed via online repositories and package managers, or simply releasing malicious code packages themselves that look legitimate . Above all, this brings the actually trustworthy third-party providers of such repositories into disrepute and has an impact on the often widespread IT ecosystems of open source. Especially Node.js (NPM) and Python (PyPi) are targeted.
On August 8th, the infected code package Python-drgn was uploaded to PyPi, abusing the name of the real package drgn. Those who download and use it allow the hackers behind them to collect users' private information to sell it, impersonate them, take over user accounts and collect information about victims' employers. These are sent to a private Slack channel. The dangerous thing is that it only includes a setup.py file, which is used in the Python language for installations only and automatically fetches Python packages without user interaction. This alone makes the file suspicious since all other usual source files are missing. The malicious part therefore hides in this setup file.
Subscribe to our newsletter now
Read the best news from B2B CYBER SECURITY once a month
Expand for details on your consent
. You can unsubscribe from the newsletter at any time. You will find a corresponding link in the newsletter. After you have unsubscribed, your data will be deleted as soon as possible. Recovery is not possible. If you would like to receive the newsletter again, simply order it again. Do the same if you want to use a different email address for your newsletter. If you would like to receive the newsletter offered on the website, we need an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. Further data is not collected or only collected on a voluntary basis. We use newsletter service providers, which are described below, to process the newsletter.
This website uses CleverReach to send newsletters. The provider is CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany (hereinafter “CleverReach”). CleverReach is a service that can be used to organize and analyze the sending of newsletters. The data you enter for the purpose of subscribing to the newsletter (e.g. email address) will be stored on the CleverReach servers in Germany or Ireland. Our newsletters sent with CleverReach enable us to analyze the behavior of the newsletter recipients. This can include It is analyzed how many recipients have opened the newsletter message and how often which link in the newsletter was clicked. With the help of so-called conversion tracking, it can also be analyzed whether a previously defined action (e.g. purchase of a product on this website) took place after clicking on the link in the newsletter. Further information on data analysis by CleverReach newsletter is available at: https://www.cleverreach.com/de/funktionen/reporting-und-tracking/
. The data processing takes place on the basis of your consent (Art. 6 Para. 1 lit. a DSGVO). You can revoke this consent at any time by unsubscribing from the newsletter. The legality of the data processing operations that have already taken place remains unaffected by the revocation. If you do not want an analysis by CleverReach, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message. The data you have stored with us for the purpose of subscribing to the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and deleted from the newsletter distribution list after you have canceled the newsletter. Data stored by us for other purposes remain unaffected. After you have been removed from the newsletter distribution list, your e-mail address may be stored by us or the newsletter service provider in a blacklist if this is necessary to prevent future mailings. The data from the blacklist is only used for this purpose and is not merged with other data. This serves both your interest and our interest in complying with the legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR). Storage in the blacklist is not limited in time. You may object to the storage if your interests outweigh our legitimate interest.
We have concluded an order processing contract (AVV) for the use of the above-mentioned service. This is a contract required by data protection law, which ensures that the personal data of our website visitors is only processed according to our instructions and in compliance with the GDPR.
The infected code package bloxflip was also offered on PyPi, which abuses the name of Bloxflip.py. This first disables Windows Defender to avoid detection. After that, it downloads an executable file (.exe) using Python's Get function. A sub-process is then started and the file is executed in the sensitive, because privileged, developer environment of the system.
The year 2022 shows how important the warning of security researchers against this method is: The number of malicious code packages increased by 2021 percent compared to 633.
More at CheckPoint.com
About check point
Check Point Software Technologies GmbH (www.checkpoint.com/de) is a leading provider of cybersecurity solutions for public administrations and companies worldwide. The solutions protect customers from cyberattacks with an industry leading detection rate for malware, ransomware and other types of attacks. Check Point offers a multi-level security architecture that protects company information in cloud environments, networks and on mobile devices, as well as the most comprehensive and intuitive “one point of control” security management system. Check Point protects over 100.000 businesses of all sizes.
Matching articles on the topic
Cybercrime with ChatGPT
With every improvement of ChatGPT, there is growing concern that it can and will be misused on a large scale, especially by cybercrime ➡ Read more