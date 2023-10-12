Summary:

During September, an attacker named “kohlersbtuh15” attempted to exploit the open-source community uploading malicious packages to the PyPi package manager. According to Checkmarx, the attacker targeted developers using Aliyun services, Telegram, and AWS. The attacker used techniques such as Typosquatting and Starjacking to deceive victims into downloading the malicious packages. Unlike previous attacks that planted malicious code within setup files, this attacker embedded the code deep within the package, within specific functions. This approach conceals the code and targets specific operations or functionalities, making the attack more effective and difficult to detect. Typosquatting exploits typos made developers during installation commands, while Starjacking manipulates package popularity metrics to link a package to an unrelated repository on GitHub. The attacker’s packages “Telethon2” and “enumerate-iam” were particularly noteworthy, as they duplicated popular packages, such as “Telethon”, and contained hidden malicious code within specific functions. This targeted attack not only compromises systems but also exposes sensitive data associated with platforms like Telegram, AWS, and Alibaba Cloud.

Definitions:

– Typosquatting: Exploiting typos made developers when inputting installation commands to publish a malicious package with a similar name to the target package.

– Starjacking: Linking a package hosted on a package manager to a different unrelated package’s repository on GitHub to deceive developers about its trustworthiness.

Sources:

– Checkmarx

Additional Information:

Checkmarx suggests that having a placeholder package on platforms like PyPi can prevent opportunistic attackers from exploiting the absence of legitimate packages. They also emphasize the risks of using malicious packages as dependencies, which can potentially infect developer accounts and customers with compromised software releases.