PyPI hit by malware attack! Malicious packages targeting crypto wallets & browser data. Platform suspends new users & projects. Learn how to stay safe and what you should do.
This article has been updated with new information.
In a move to combat a large-scale malware campaign, the Python Package Index (PyPI), the official repository for third-party Python software, has suspended new user registration and project creation. This critical action comes after security researchers at Checkmarx identified a series of malicious packages targeting unsuspecting developers.
According to PyPI’s official update released on March 28th, 2024, at 2:16 UTC, the platform is taking proactive measures to “mitigate an ongoing malware upload campaign.” This suspension aims to disrupt the attackers’ efforts and protect the vast Python developer community.
Checkmarx Discovers Deceptive Software
The security team at Checkmarx identified a coordinated effort by threat actors to upload malicious packages onto PyPI. These packages are designed to exploit a common vulnerability known as typosquatting. Typosquatting tricks users into installing malware by using names and website addresses that closely resemble those of legitimate software.
Once installed, these malicious packages unleash a multi-stage attack. The initial payload targets a user’s cryptocurrency wallets, aiming to steal valuable digital assets. The attackers further expand their reach by scraping sensitive data from browsers, including cookies and extension information. Additionally, the malware attempts to steal various login credentials, potentially compromising a user’s entire digital ecosystem.
According to Checkmarx’s research shared with Hackread.com ahead of publication on Thursday, the most concerning aspect of this attack is the malware’s persistence mechanism. This mechanism allows the malware to survive system reboots, ensuring its continued operation even after a restart. This persistence significantly increases the difficulty of detection and eradication.
PyPI Fights Back
PyPI’s quick suspension of new user registration and project creation shows the platform’s commitment to user safety. This action also potentially disrupts the attackers’ ability to upload new malicious packages and provides PyPI with time to implement more robust security measures.
What Developers Should Do
While PyPI works to address the situation, developers are advised to exercise extreme caution when installing Python packages. Here are some essential security practices:
- Double-check package names and sources: Meticulously verify the spelling and origin of any package before installation. Typosquatting relies on tricking users into installing the wrong software.
- Verify publisher reputation: Research the publisher behind a package before trusting it. Look for established developers with a history of creating reliable software.
- Read reviews and ratings: User reviews and ratings can offer valuable insights into a package’s legitimacy and functionality.
- Stay informed: Keep yourself updated on the latest security threats targeting PyPI and the Python community.
The Future of PyPI Security
The PyPI security team is working to identify and remove all malicious packages from the platform. Additionally, they will be implementing tougher measures to prevent similar attacks in the future. Developers can expect further announcements from PyPI regarding the timeline for resuming new user registration and project creation.
This incident goes on to show how sophisticated cyberattacks have become especially when targeting the software development community. By working together, developers, security researchers, and platform operators like PyPI can create a safer and more secure environment for everyone.
UPDATE Mar 28, 2024 – 12:56 UTC
As of March 28, 2024, 12:56 UTC, PyPI’s official website states, “This incident has been resolved,” indicating that the registration of new projects and users is now enabled again.