Sujet : PyPi supply chain attack
De : dont (at) *nospam* emailme.com (Wanderer)
Groupes : comp.lang.pythonDate : 29. Mar 2024, 07:22:29
Autres entêtes
Organisation : To protect and to server
Message-ID : <458601@dontemail.com>
pypi halted new users and projects while it fended off supply chain attack
https://arstechnica.com/security/2024/03/pypi-halted-new-users-and-projects-while-it-fended-off-supply-chain-attack/The malicious code is located within each package's setup.py file, enabling automatic execution upon installation.
In addition, the malicious payload employed a technique where the setup.py file contained obfuscated code that
was encrypted using the Fernet encryption module. When the package was installed, the obfuscated code was automatically
executed, triggering the malicious payload. Upon execution, the malicious code within the setup.py file attempted to retrieve
an additional payload from a remote server. The URL for the payload was dynamically constructed by appending the package
name as a query parameter. The retrieved payload was also encrypted using the Fernet module. Once decrypted, the payload
revealed an extensive info-stealer designed to harvest sensitive information from the victim's machine. The malicious payload
also employed a persistence mechanism to ensure it remained active on the compromised system even after the initial execution."