Cybersecurity researchers have warned of a malicious campaign targeting users of the Python Package Index (PyPI) repository with bogus libraries masquerading as “time” related utilities, but harboring hidden functionality to steal sensitive data such as cloud access tokens.
Software supply chain security firm ReversingLabs said it discovered two sets of packages totaling 20 of them. The packages have been cumulatively downloaded over 14,100 times –
- snapshot-photo (2,448 downloads)
- time-check-server (316 downloads)
- time-check-server-get (178 downloads)
- time-server-analysis (144 downloads)
- time-server-analyzer (74 downloads)
- time-server-test (155 downloads)
- time-service-checker (151 downloads)
- aclient-sdk (120 downloads)
- acloud-client (5,496 downloads)
- acloud-clients (198 downloads)
- acloud-client-uses (294 downloads)
- alicloud-client (622 downloads)
- alicloud-client-sdk (206 downloads)
- amzclients-sdk (100 downloads)
- awscloud-clients-core (206 downloads)
- credential-python-sdk (1,155 downloads)
- enumer-iam (1,254 downloads)
- tclients-sdk (173 downloads)
- tcloud-python-sdks (98 downloads)
- tcloud-python-test (793 downloads)
While the first set relates to packages that are used to upload data to the threat actor’s infrastructure, the second cluster consists of packages implementing cloud client functionalities for several services like Alibaba Cloud, Amazon Web Services, and Tencent Cloud.
But they have also been using “time” related packages to exfiltrate cloud secrets. All the identified packages have already been removed from PyPI as of writing.
Further analysis has revealed that three of the packages, acloud-client, enumer-iam, and tcloud-python-test, has been listed as dependencies of a relatively popular GitHub project named accesskey_tools that has been forked 42 times and started 519 times.
A source code commit referencing tcloud-python-test was made on November 8, 2023, indicating that the package has been available for download on PyPI since then. The package has been downloaded 793 times to date, per statistics from pepy.tech.
The disclosure comes as Fortinet FortiGuard Labs said it discovered thousands of packages across PyPI and npm, some of which have been found to embed suspicious install scripts designed to deploy malicious code during installation or communicate with external servers.
“Suspicious URLs are a key indicator of potentially malicious packages, as they are often used to download additional payloads or establish communication with command-and-control (C&C) servers, giving attackers control over infected systems,” Jenna Wang said.
“In 974 packages, such URLs are linked to the risk of data exfiltration, further malware downloads, and other malicious actions. It is crucial to scrutinize and monitor external URLs in package dependencies to prevent exploitation.”
