Malicious software packages are found in pypi code base. Tencent security threat intelligence has been included. Experts remind coders to be careful of supply chain attacks

According to the Jfrog Technology blog reports , stay PyPI Several malicious code was found in the repository , The attacker tried to implant the back door 、 Stealing credit card information 、 Steal browser sensitive data 、 Screen capture and upload to the specified address . Relevant malicious code is from PyPI The website has been downloaded before deletion 3 Ten thousand times , Tencent security experts found that these malicious codes still exist in some domestic image libraries , Tencent security experts advise software developers to start from PyPI When downloading resources from the code base , Pay attention to safety audit , Avoid installing malicious code into your own development environment .

Background of the event

In recent years ,PyPI、GitHub And other software repositories have repeatedly exposed software supply chain attacks ： The attacker uploads the code of the built-in backdoor to the public repository , If other developers don't pay attention to the security audit of the code , It is possible to apply harmful code to your own development environment , Then when distributing the software developed by yourself , Spread malicious programs to end users .

There is a problem Python package , Found to use Base64 The coding is confused ：

· pytagora (uploaded by leonora123)

· pytagora2 (uploaded by leonora123)

· noblesse (uploaded by xin1111)

· genesisbot (uploaded by xin1111)

· are (uploaded by xin1111)

· suffer (uploaded by suffer)

· noblesse2 (uploaded by suffer)

· noblessev2 (uploaded by suffer)

PyPI yes Python Package Index Abbreviation , yes Python Official third-party software repository , Such as pip Package manager utilities such as rely on it as the default source for packages and their dependencies . Upload malicious code to the official Repository , Will lead to dependency on these sources （ Or mirror the source ） Software developers who deploy the development environment inadvertently spread malicious code . Thus, it constitutes a typical software supply chain attack .

according to the understanding of ,PyPI、Github And other public code repositories themselves do not audit code content , Any developer can register , And upload the code . This mechanism is similar to other social media platforms , The platform side is not responsible for content security .

Tencent security experts advise software developers to use PyPI、Github Wait until the code shared by the public code base , Review the content of the code , Avoid installing malicious code . Tencent security has hacked the above files with malicious code , Help software developers detect risks .

Malicious sample analysis ：

Malicious code use base64 Code and save , It mainly hides the corresponding functions of malicious backdoors .

The back door code in the figure below , Trying to connect 172.16.60.80:9009, Then execute from socket Reads the Python Code .

Malicious code through query sqlite Database theft Chrome Save sensitive information , Further obtain all accounts and login passwords saved in the browser .

Steal sensitive information from computer screen shots .

Upload the above stolen sensitive data to the following interface address ：

hxxps://discordapp.com/api/webhooks/725066562536472720/dj6bPPENAE5SxFzMRB6m7FEPwIbrWkH_5PlSR6RG99pY73wjJ9dVoZTkOrvOQ04cZybR

Tencent security solutions ：

PyPI Malicious code package threat data has been added to Tencent security threat intelligence database , Empower Tencent with a full range of security products , Customers can subscribe to Tencent security threat intelligence products , Make the security equipment of the whole network synchronized with corresponding threat detection 、 defense 、 Blocking ability . It is recommended that government and enterprise customers deploy Tencent cloud firewall in the public cloud 、 Tencent host security （ Cloud mirror ） And other security products to detect and defend against related threats .

Tencent host security （ Cloud mirror ） Support for PyPI Detect and clear the landing file of malicious code package , Customers can log in to Tencent cloud -> Host security console , Check the warning information of virus and Trojan horse , Isolate or delete the malicious Trojan horse with one click . It is recommended that government and enterprise customers manage vulnerabilities through Tencent host security 、 The baseline management function detects security vulnerabilities and weak passwords of network assets .

tencent iOA、 Tencent computer housekeeper has supported killing and intercepting relevant malware package downloads .

Private cloud customers can deploy Tencent advanced threat detection system through bypass （ Royal boundary ） Conduct flow detection and analysis , Tencent advanced threat detection system （ Royal boundary ） It has supported the detection of relevant malicious files downloaded by government and enterprise intranet users and the return of sensitive information stolen by malicious back doors .

Government and enterprise customers can deploy Tencent sky curtain through bypass （NIPS） Real time interception through PyPI The back door of the code base is connected to the remote server , Completely block the threat flow . Tencent skyline （NIPS） Based on Tencent's self-developed security computing power algorithm PaaS advantage , Form a trillion level massive sample 、 Millisecond response 、 The automatic intelligent 、 Security visualization and other capabilities of the network border collaborative protection system .

IOCs

MD5

453ddb774d66e75c9b65b68306957ef8 253325d92666c6bb1160780ed85705a5 a61b6c3551d91b1e08a6daf843bcc3ab 5274c20eda8a905784a85d898a038dde 

Reference material ：

https://jfrog.com/blog/malicious-pypi-packages-stealing-credit-cards-injecting-code/

https://www.theregister.com/2021/07/28/python_pypi_security

https://thehackernews.com/2021/07/several-malicious-typosquatted-python.html