Credit card-stealing malware found in official Python repository

Security researchers blame the repository’s lack of moderation

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurityresearchers have once again found malicious packages lurking inPython’s official repository, PyPI.

According to estimates from the security research team at DevOps specialists JFrog, the eight malicious Python packages were downloaded more than 30,000 times.

The researchers’analysisreveals that the tainted packages are designed to sniff outcredit cardinformation that’s usually auto-saved by some popularweb browsersincludingChromeandEdge.

“The continued discovery of malicious software packages in popular repositories like PyPI is an alarming trend that can lead to widespread supply chain attacks. The ability for attackers to use simple obfuscation techniques to introducemalwaremeans developers have to be concerned and vigilant,” observed Asaf Karas, CTO, Security at JFrog.

Checks and controls

PyPI has purged the packages after being alerted by JFrog.

According to the JFrog, in addition to siphoning credit card details, the packages also scraped tokens of theDiscordmessaging platform, which could be used to impersonate the user.

PyPI has been at the receiving end of several campaigns to poison the repository with malicious packages. Earlier this year in June, PyPI was purged ofhalf a dozen typosquatting packagesthat containedcryptominingmalware, and a month before that the repository wasflooded with spam packages.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

In fact, a recent study revealed that almost half of the packages inPyPI have one or more security issues.

The researchers believe a lack of moderation and automated security controls in PyPI and other public software repositories makes it fairly straightforward for threat actors to inject malicious code.

JFrog suggests that developers must integrate preventive measures such as verification of library signatures in theirCI/CD pipelines, along with tools that scan for suspicious code.

“This is a systemic threat, and it needs to be actively addressed on several layers, both by the maintainers of software repositories and by the developers,” believes Karas.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

I’ve used Genmoji and now I’m convinced Apple Intelligence will be a huge success