W4SP Stealer Stings Python Developers in Supply Chain Attack

  /     /     /  
Publicated : 23/11/2024   Category : security


W4SP Stealer Stings Python Developers in Supply Chain Attack


Threat actors continue to push malicious Python packages to the popular PyPI service, striking with typosquatting, authentic sounding file names, and hidden imports to fool developers and steal their information.



Attackers continue to create fake Python packages and use rudimentary obfuscation techniques in an attempt to infect developers systems with the W4SP Stealer, a Trojan designed to steal cryptocurrency information, exfiltrate sensitive data, and collect credentials from developers systems.
According to an advisory published this week by software supply chain firm Phylum, a threat actor has created 29 clones of popular software packages on Python Package Index (PyPI), giving them benign-sounding names or purposefully giving them names similar to legitimate packages, a practice known as typosquatting. If a developer downloads and loads the malicious packages, the setup script also installs — through a number of obfuscated steps — the W4SP Stealer Trojan. The packages have accounted for 5,700 downloads, researchers said.
While W4SP Stealer targets cryptocurrency wallets and financial accounts, the most significant objective of the current campaigns appears to be developer secrets, says Louis Lang, co-founder and CTO at Phylum.
Its not unlike the email phishing campaigns we are used to seeing, only this time attackers are solely targeting developers, he says. Considering developers often hold access to the crown jewels, a successful attack can be devastating for an organization.
The attacks on PyPI by the unknown actor, or group, are just the latest threats to target the software supply chain. Open source software components distributed through repository services, such as PyPI and the Node Package Manager (npm), are a popular vector of attacks, as
the number of dependencies imported into software has grown dramatically
. Attackers attempt to use the ecosystems to distribute malware to unwary developers systems, as happened in
a 2020 attack on the Ruby Gems ecosystem
and attacks on
the Docker Hub image ecosystem
. And in August, security researchers at Check Point Software Technologies
found 10 PyPI packages
that dropped information-stealing malware. 
In this latest campaign, these packages are a more sophisticated attempt to deliver the W4SP Stealer onto Python developers machines, Phylum researchers 
stated in their analysis
, adding: As this is an ongoing attack with constantly changing tactics from a determined attacker, we suspect to see more malware like this popping up in the near future.
That attack takes advantage of developers who mistakenly mistype the name of a common package or use a new package without adequately vetting the source of the software. One malicious package, named typesutil, is just a copy of the popular Python package datetime2, with a few modifications.
Initially, any program that imported the malicious software would run a command to download malware during the setup phase, when Python loads dependencies. However, because PyPI implemented certain checks, the attackers started using whitespace to push the suspicious commands outside of the normal viewable range of most code editors.
The attacker changed tactics slightly, and instead of just dumping the import in an obvious spot, it was placed waaaaay off screen, taking advantage of Pythons seldomly used semicolon to sneak the malicious code onto the same line as other legitimate code, Phylum stated in its analysis.
While typosquatting is a low-fidelity attack with only rare successes, the effort costs attackers little compared to the potential reward, says Phylums Lang.
Its a numbers game with attackers polluting the package ecosystem with these malicious packages on a daily basis, he says. The unfortunate reality is that the cost to deploy one of these malicious packages is extremely low relative to the potential reward.
The eventual goal of the attack is to install the information-stealing Trojan W4SP Stealer, which enumerates the victims system, steals browser-stored passwords, targets cryptocurrency wallets, and searches for interesting files using keywords, such as bank and secret, says Lang.
Aside from the the obvious monetary rewards of stealing cryptocurrency or banking information, some of the pilfered information could be used by the attacker to further their attack by giving access to critical infrastructure or additional developer credentials, he says.
Phylum has made some progress in identifying the attacker and has sent reports to the companies whose infrastructure is being used.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
W4SP Stealer Stings Python Developers in Supply Chain Attack