Security researchers highlight another scam that has become popular among hackers over the past few years. Infected code packages with malicious command lines serve as shock troops.
Check Point Software's research department warns all IT security personnel about fraudulent code packages. This scam can be counted among the supply chain attacks and value chain attacks, which have increased significantly. Cyber criminals try to penetrate the systems of entrepreneurs and private individuals in various ways, and code packages are the new vehicle of hackers.
Code packages as vehicles
Over the last few years, criminals have increasingly misused them for their purposes: either smuggling malicious command lines into genuine code packages distributed via online repositories and package managers, or simply releasing malicious code packages themselves that look legitimate . Above all, this brings the actually trustworthy third-party providers of such repositories into disrepute and has an impact on the often widespread IT ecosystems of open source. Especially Node.js (NPM) and Python (PyPi) are targeted.
Example 1
On August 8th, the infected code package Python-drgn was uploaded to PyPi, abusing the name of the real package drgn. Those who download and use it allow the hackers behind them to collect users' private information to sell it, impersonate them, take over user accounts and collect information about victims' employers. These are sent to a private Slack channel. The dangerous thing is that it only includes a setup.py file, which is used in the Python language for installations only and automatically fetches Python packages without user interaction. This alone makes the file suspicious since all other usual source files are missing. The malicious part therefore hides in this setup file.
Example 2
The infected code package bloxflip was also offered on PyPi, which abuses the name of Bloxflip.py. This first disables Windows Defender to avoid detection. After that, it downloads an executable file (.exe) using Python's Get function. A sub-process is then started and the file is executed in the sensitive, because privileged, developer environment of the system.
The year 2022 shows how important the warning of security researchers against this method is: The number of malicious code packages increased by 2021 percent compared to 633.
More at CheckPoint.com
About check point Check Point Software Technologies GmbH (www.checkpoint.com/de) is a leading provider of cybersecurity solutions for public administrations and companies worldwide. The solutions protect customers from cyberattacks with an industry leading detection rate for malware, ransomware and other types of attacks. Check Point offers a multi-level security architecture that protects company information in cloud environments, networks and on mobile devices, as well as the most comprehensive and intuitive “one point of control” security management system. Check Point protects over 100.000 businesses of all sizes.