Malicious Python Package Relies on Steganography to Download Malware

  /     /     /  
Publicated : 23/11/2024   Category : security

Malicious Python Package Relies on Steganography to Download Malware


The malicious package downloads an image from the Web, then uses a steganography module to extract and execute the code to download malware.


Check Point Research has detected a malicious open source code package that uses steganography to hide malicious code inside image files.
The malicious package was available on PyPI, a package index widely used by Python developers. After being notified of it, PyPIs maintainers have removed the malicious package.
The malicious package, apicolor, looks like one of many development packages available on PyPI. The header states the package is a core lib for REST API. The package installation script for apicolor has instructions to download additional packages (requests and judyb), along with a picture from the Web. The script then uses the steganography capabilities in judyb to uncover and execute the malicious code hidden inside the image file. The malicious code downloads malware from the Web and installs it on the users machine.
The impact seems minimal — Check Point Research found only three GitHub users including apicolor and judyb in their code, and a little over 80 projects containing the malicious packages. The infection method relies on people stumbling across these open source projects and installing them on their machines, not knowing it brings in a malicious package import, the team said.
The more important takeaway? These findings reflect careful planning and thought by a threat actor, who proves that obfuscation techniques on PyPI have evolved,
Check Point Research wrote on the teams blog
.
Attackers are no longer just relying on the strategy to copy and rename existing packages and hide malicious code inside. Instead, they are targeting certain type of users — often those working from home, and those using corporate machines for side projects, according to the research team.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
Malicious Python Package Relies on Steganography to Download Malware