Hackers are increasingly using their own code packages for attacks or inserting malicious command line into code packages distributed via online repositories and package managers. The scam is becoming increasingly popular among hackers. The increase from 2021 to 2022 was already over 600 percent, according to Check Point.
Check Point Research (CPR), the research department of Check Point Software Technologies, warns all IT security forces about fraudulent code packages. ThreatCloud found several malicious objects. This scam can be counted among the supply chain attacks and value chain attacks, which have increased significantly.
Trusted code packages are infected
Cyber criminals try to penetrate the systems of entrepreneurs and private individuals in various ways, and code packages are the new vehicle of hackers. Over the last few years, according to CPR, criminals have increasingly abused them for their purposes: either smuggling malicious command lines into real code packages distributed via online repositories and package managers, or simply releasing malicious code packages themselves, that look legitimate. Above all, this brings the actually trustworthy third-party providers of such repositories into disrepute and has an impact on the often widespread IT ecosystems of open source. Especially Node.js (NPM) and Python (PyPi) are targeted.
Example 1: On August 8th, the infected code package Python-drgn was uploaded to PyPi, which misuses the name of the real package drgn. Those who download and use it allow the hackers behind them to collect users' private information to sell it, impersonate them, take over user accounts and collect information about victims' employers. These are sent to a private Slack channel. The dangerous thing is that it only includes a setup.py file, which is used in the Python language for installations only and automatically fetches Python packages without user interaction. This alone makes the file suspicious since all other usual source files are missing. The malicious part therefore hides in this setup file.
Package code disables Windows Defender
Example 2: The infected code package bloxflip, which misuses the name of Bloxflip.py, was also offered on PyPi. This first disables Windows Defender to avoid detection. After that, it downloads an executable file (.exe) using Python's Get function. A sub-process is then started and the file is executed in the sensitive, because privileged, developer environment of the system.
The year 2022 shows how important the warning of security researchers against this method is: The number of malicious code packages increased by 2021 percent compared to 633. To protect yourself, Check Point advises: Always check the authenticity of all source codes of third-party programs and packages. Always encrypt important data, both in transit and at rest. Carry out regular audits of the code packages used.
More at CheckPoint.com
About check point Check Point Software Technologies GmbH (www.checkpoint.com/de) is a leading provider of cybersecurity solutions for public administrations and companies worldwide. The solutions protect customers from cyberattacks with an industry leading detection rate for malware, ransomware and other types of attacks. Check Point offers a multi-level security architecture that protects company information in cloud environments, networks and on mobile devices, as well as the most comprehensive and intuitive “one point of control” security management system. Check Point protects over 100.000 businesses of all sizes.