Malicious Python packages found on PyPI

Researchers have uncovered another batch of malicious Python libraries hosted on Python Package Index (PyPI).

malicious Python packages

The malicious packages

PyPI is the official third-party software repository for Python and a great source of open source libraries and modules for implementing common functionalities.

Unfortunately, if a malicious component ends up on it, chances are many developers will download and implement it before it is discovered and removed from the repository.

This happened with libpeshnx, libpesh and libari, three packages developed by user ruri12, who published them in November 2017.

“If the [libpeshnx] package is installed on a Linux system, it will try to download a file from the C2 domain, save it as a hidden file named .drv in the user’s home directory, and persist itself inside .bashrc to be run as a background process whenever an interactive non-login shell is created (i.e. any time a shell is opened after the initial login),” ReversingLabs’ principal engineer Robert Perica and threat analyst Antonio Zekić found.

The libpesh and libari packages only contain references to the malicious function without any code.

All three have been removed from PyPI by the repository’s security team earlier this month. But, between their publication and removal, they’ve been downloaded and installed (too) many times.

malicious Python packages

The only good news is that the C2 domain from which the malicious code is meant to be downloaded has been offline for months.

The dangers of public package repositories

If the names of these packages seems familiar, you might remember last year’s discovery of a dozen malicious packages on PyPI. Among those was one named libpeshka, which contained the exact same backdoor, downloaded from the same (unavailable) C2 server.

ReversingLabs researchers believe that the newly discovered packages might be a development version of libpeshka.

Popular public code repositories for software developers can be helpful vehicles for (more or less targeted) supply chain attacks.

“Given the lack of scrutiny involved during the package submission, review, and approval process, and the attack surface size that such platforms provide, public package repositories might slowly become a malware repository platform, unless their security posture changes,” the researchers noted.

“To greatly reduce the possibility of hosting malware, such repositories would all benefit from continuous processing and a better review process.”


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss