Malicious Python packages have been used in an ongoing supply chain attack to spread the W4SP Stealer virus, which has so far infected over a hundred people.

Checkmarx researcher Jossef Harush declared in a technical write-up that the threat actor is still active and releasing more malicious packages. The attacker claims that the tools are undetectable to increase sales.

The assault is merely the most recent danger to the software supply chain. It is noteworthy because a polymorphic malware payload was extracted using steganography from an image file hosted on Imgur.

How Is the Malware Deployed?

The eventual installation of the package makes the way into the software for the W4SP Stealer (also known as WASP Stealer), a data thief designed to exfiltrate Discord accounts, passwords, cryptocurrency wallets, and other things of relevance to a Discord Webhook.

Cybersecurity researchers pinned down the attacker’s Discord server, which is administrated by a lone username known as “Alpha.#0001”, alongside various fake profiles created on Github to lure developers into downloading the malware.

Additionally, the operator of Alpha.#0001 has been seen promoting the “completely undetectable” for $20 in the Discord channel and releasing a continuous stream of new packages under different names as soon as PyPI removes them.

As per The Hacker News, the threat actor was seen adopting a new username on PyPI (“halt”), to upload typosquatting libraries that leveraged StarJacking, a technique where a package is published with an URL pointing to an already popular source code repository.

Harush noted that it is the first time he has seen polymorphic malware being used in software supply chain attacks.

The technique is simple, yet very efficient. Hundreds of users were tricked into the campaign by accessing the poisoned snippets posted on GitHub by the fake accounts.

The development also coincides with the publication of new recommendations by U.S. cybersecurity and intelligence organizations describing users’ suggested actions to secure the software supply chain.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Five Play Store Droppers Target 200 Banking and Cryptocurrency Wallets Apps

Massive Typosquatting Campaign Uses over 200 Fake Domains

What Is a Supply Chain Attack?

Malware Polymorphism. Oligomorphic, Polymorphic & Metamorphic Malware

Leave a Reply

Your email address will not be published. Required fields are marked *