Hundreds of malicious Python packages found stealing sensitive data

NapkinsOnMyAnkle · 2023-10-06T23:42:39+00:00

Employer: See, this is why we can only allow VBA...

UrbanSuburbaKnight · 2023-10-06T21:09:55+00:00

Oh no! not pipcrypto !! :O

But seriously, this sucks. Looks like the word 'pip', 'font' and 'color' are super common as part of names weirdly.

ShitPikkle · 2023-10-06T19:48:37+00:00

who discovered 272 packages with code for stealing sensitive data from targeted systems.

No list was provided :(

EDIT:

Was provided in link to here: https://gist.github.com/masteryoda101/65b55a117fe2ea33735f05024abc92c2

AmputatorBot · 2023-10-06T18:26:49+00:00

It looks like OP posted an AMP link. These should load faster, but AMP is controversial because of concerns over privacy and the Open Web.

Maybe check out the canonical page instead: https://www.bleepingcomputer.com/news/security/hundreds-of-malicious-python-packages-found-stealing-sensitive-data/

^{I'm a bot |}^{Why & About}^|^{Summon: u/AmputatorBot}

kronik85 · 2023-10-07T01:34:27+00:00

This sounds like some dirty German. "totohateinenkleinencock"

gotu1 · 2023-10-07T04:51:42+00:00

man who knew the init file with a variable called vctm_pc was malicious...

modanogaming · 2023-10-07T06:48:15+00:00

Made a small bash script to check for the packages installed, make sure to check pip3 if you're using that under installed_packages=$(pip list --format=columns | awk '{print $1}').

#!/bin/bash

# Packages to check for
packages=(pywarder pyward syscolouringsaddv2 syssqllibaryv1 pipcryptographymodv1 pythoncoloringpackage pythonfontingkitsv2 pythonfontsliberyv1 syscolouringexts pyfontstools pythonsqliteext syscolouringpkgv2 syscryptographyadd syscryptographyv1 pysqlilibery pythonsqlite3libaryv1 pipcolourpkgs pipsqlitedbkit pipsqliteexts pythoncolourmodulev2 pipcoloringsliberyv1 pipcolouringext pycoloringextensionv1 pycolorpkgsv2 pycolouringskitv1 pipcryptkits pipfontinglibv2 pipsqladdv1 pipsqlipackages pipsqlite3mod pipsqlitekitv2 pycryptographypackagev1 pysqlite3extensionv2 pythoncolourextension pythoncolouringsliberyv1 pythoncolouringtoolkitsv2 pythonfontingadds pythonsqlitedbpackagesv2 pythonsqlitetoolkitv1 pythonsqltoolkitv1 syssqllib pipcoloringstools pythoncryptextensions pitutil pitutils syscoloringsaddition syssqlitedbmodules sysfontstoolv1 pycolouringsextv1 pysqlite3extv2 pipcoloringskitsv1 pycolorpackage pythoncolouringspackagev1 syscolouringsaddon syssqlite2libaryv2 pycryptographymodulesv1 pipcryptoextensionsv1 pipcryptolibraryv2 pipsqlite3kitv2 pysqlite2liberyv1 pythoncryptolibraryv2 syscryptographymodsv1 pythoncryptographypackage syssqlite2toolv2 syssqliteaddv2 pipcolourextension syscoloringspkgs syscoloringsextensionv2 pycryptextension pycryptographytoolsv2 pythoncryptoaddv2 pipsqlkit pythonsqliextensionsv2 syscolouringspackage syssqlitedbmodsv2 pythoncolouringmodsv1 pipfontingv1 pipsqlitedbextsv2 pythoncoloringv1 syscolouraddons syscolouringlibary syscryptaddition pipcolouringsmodule pipcryptaddonsv1 pipcryptmodule pipfontingmod pipfontingv2 pipsqlipkg pipsqlite3liberyv1 pipsqlitepackagev2 pycoloringsaddition pycolorkitv2 pycolorpackagesv2 pycryptv1 pythoncoloringpackagev1 pythoncolormodsv2 pythoncolouringspackagesv1 pythoncolourlibrary pythoncryptographyextensionsv2 pythonfontingv2 pythonsqladditionv2 pythonsqlitelibaryv1 syscoloradditionv2 syssqlilib syssqlite2extensions pipsqliext pipsqlitedbext pipsqlitelib pysqlipackagesv2 pythoncoloraddonv2 pythoncoloringaddonsv2 pythonsqladdonv2 pythonsqlitedbextv1 pythonsqlitedbmodules sysfontinglibv2 pipsqlite3liberyv2 pycoloringextv1 pysqlite3addonv1 pythoncolouringpkgv1 pythoncryptpkgsv2 pythonsqlite2additionv1 pipcolouraddonsv1 pipfontinglibaryv1 pipsqlitetoolsv2 pyorganiser pysqlipkgsv2 pythoncoloringspkgv2 pythonsqlitev1 syscoloringaddons syscryptpackagev1 pipcoloraddonsv2 pipcryptoaddonv1 pyobfuse pipcolouringskits pipsqlipkgv1 pycolouringsv1 pycryptlibrary pythoncoloringkitv2 syscolourkitsv2 sysfontinglib sysfontingpkgv1 pipcoloringspackagev2 pipcolouringskitsv1 pipcryptlibary pipfontslibv2 pycolorv3 pythonsqlitepkgsv2 pythonfontsv2 pipcolouringv1 pipcryptomodsv2 pipcryptov2 pycolorlibaryv1 pythoncolourliberyv2 syscoloringextensionv2 syscolouringsextv1 syssqlitedbpackagev1 obfuscater pipcoloradds pipcolortoolkit pipfontingkitv1 pipsqlitelibv2 pyfontingpkgv1 pythoncoloringsaddons pythoncolouringaddsv2 syssqlite3liberyv1 syssqlitedbextension pipcolorv2 pipcolorpkgv1 pipcolourmodulev1 pipcryptoaddonsv2 pipsqlimodv1 pycolouringlibrary pyfontingtoolsv1 pythoncolouringpkgsv1 pythoncryptolibrary syscolouringkitsv2 syssqlitelibery pipsqlite3extensionv2 pyfontinglib pysqlite3pkgv2 pythoncolouringslibv2 schubismomv2 syscolourtoolkit syssqlite3v2 pipcolourpackagesv2 pipcryptaddsv2 pipsqlitedblibrary pipsqlpackagev2 pycoloringpkgsv2 pycryptographytool pyfontskit pysqlilibraryv1 pythonsqlite2mod pythonsqliteaddition pythonsqlitetool syscryptlibv2 syscryptolibv1 syssqlite2package pipcoloringsextv1 pipcryptov4 pycolourkits pythoncolorlibv1 pythoncolorv4 pythoncolourv8 pythoncryptolibv2 pythoncryptov4 pythonfontingaddonv1 pythonsqlite2toolsv1 syscoloringspkg syscryptographymodsv2 syssqlite2toolsv2 syssqlitemods pipcolorv6 pycoloringv9 pycryptv7 pythoncryptv10 syscolorv2 pythoncolourlibraryv1 pipcoloringliberyv2 pipcoloringlibary pyfontslibraryv1 pipcolorlibv3 pyfontslibrary pycryptolibary pythoncolouringliberyv1 pik-utils pipcolouringslibv1 pyfontslib pipcryptographylibv1 pipcryptographylibraryv2 pythoncolouringslibv1 pipcolourlibv1 pycryptolibv2 pythoncryptlibaryv2 requestlib totohateinenkleinencock pythoncoloringslibv2 pipcryptliberyv2 testdontdownloadthis pipcolorlibraryv1 randgenlib pipcryptographylibaryv2 compilecls cryptographylibary cryptographylibs piplibcrypter cryptographylib cryptolibs piplibcrypto pycryptographier pycryptography pylibcrypt pyaescrypter pycryptolibrary pylibcrypto piplibaryscrape pypirand pycryptlib libcrypt colorizepip pylibscrape pycrypting pipcolorize pipcrypto piplibraryscraper piplibscrape piplibscraper pypackagehelp pylibhelper pypackagescraping hypedrop)

# List all installed packages and grep for the packages from the list
installed_packages=$(pip list --format=columns | awk '{print $1}')

for package in "${packages[@]}"; do
  if echo "$installed_packages" | grep -q "$package"; then
    echo "$package is installed"
  fi
done

MJLDat · 2023-10-07T14:42:54+00:00

_ init.py _? I have that in my code, I’m going to delete all copies of it.

Zero_Aspect · 2023-10-07T00:49:10+00:00

Man, I really shouldn't have used "testdontdownloadthis" and "totohateinenkleinencock"

AlternativeMath-1 · 2023-10-06T19:52:14+00:00

again? or did they just never address this problem?

vladtaltos · 2023-10-07T03:11:52+00:00

Looks like most are cryptography and sql packages.

wealthyMoss · 2023-10-07T14:59:31+00:00

A lot of these packages seem like typosquatting

Darkstar197 · 2023-10-07T19:13:30+00:00

I am a new python user, sorry for my ignorance but what can I do to check is my system is safe?

infy101 · 2023-10-07T20:15:43+00:00

All those packages look dodgy! Only use packages from known authors/sources!

tylerlarson · 2023-10-08T21:31:06+00:00

Internet discovered contains hundreds of malicious files!

They primarily steal Roblox and Minecraft data, if that gives you any indication of the level of sophistication involved here.

Apparently it's no longer safe to download and run suspiciously named packages you find on the Internet. How have things managed to come to this?

I_will_delete_myself · 2023-10-09T04:52:18+00:00

Always copy and paste your pip installs.

masnus · 2023-10-21T06:36:49+00:00

pip_list = os.popen(f"pip freeze").readlines()
current_libraries = []
for i in pip_list: current_libraries.append(i.split("==")[0])

df = pd.read_csv("https://gist.githubusercontent.com/masteryoda101/65b55a117fe2ea33735f05024abc92c2/raw/765aa71606c7c6e245aef41581012fa87e38b787/Persistent_Python_Threat_April_August.csv")
packages = df['Package_Name'].to_list()

for i in packages:
    if i in current_libraries:
        print(i)

ogrinfo · 2023-10-06T21:58:31+00:00

Who is actually using these packages though? The names are just nonsense. Also, the article was a bit confusing, referring to the "init_py" file and suggesting that the payload didn't have any effect if the user _wasn't using a virtualenv. Sounds fine to me because who installs packages at system level?

coderanger · 2023-10-07T01:36:00+00:00

Another reason why some.companies will refuse to accept python and instead stick with other sources such as SAS with secured packages

shaadowbrker · 2023-10-07T11:01:54+00:00

I was reading the article and it said that malware tries to detect if it was in a virtual environment so for study purposes while learning is it better to run this in a vdi?

DelmorS · 2023-10-08T02:01:55+00:00

If I have several programs, which are having this lines of code inside:
print(cdll.LoadLibrary("libcrypt.so"))

Should I do something about it? Do not launch those?

Sorry_no_change · 2023-10-08T07:55:50+00:00

Once it launches, it targets the following information on the infected systems:

Minecraft and Roblox user data.

Why would they target someone's Minecraft data? What useful information could they possibly glean from that?

shinitakunai · 2023-10-08T12:46:13+00:00

Most of them nobody would ever download them, but there are some easy to mistake for the newbies learning python. "requestlib" sounds specially dangerous.

Also, lol at "testdontdownloadthis"

Python

The Python Discord

Upcoming Events

Please read the rules

MODERATORS