Python Paki (Python Package Index) temporarily prohibited registration of new projects and creating new projects due to an adamant массовой загрузки вредоносных пакетов в ходе автоматизированной adha. The lock was introduced after 566 packages with malicious code, stylized under 16 popular Python-bibliooteite were loaded into the repository on March 26 and 27.
Package names are formed using Typskvotynt, i.e. The purpose of similar names that differ in individual symbols, for example, Temsorflow instead of Tensorflow, Requyests instead of Requests, Asyincio instead of Asyncio, etc. When conducting such attacks, attackers are counting on inattentive users who have made a typo or not noticing the differences in the name when searching or crossing the link from forums and chats in which attackers leave deceitful instructions.
Malicious packages are based on the code of legitimate libraries, which built individual changes that install harmful software into the system, which search and send confidential data and files containing passwords, access keys, cryptocurrencies, tokens and session cookies. The malicious code is built into the Setup.py file launched during the installation of the package. During activation, the amendment is loaded by the main malicious components from the external server.
In two days, the attackers were loaded with the malicious version of the Tensorflow package, 26 – Beautifulsoup, 26 – Pygame, 15 – Simplejson, 38 – MatPlotlib, 26 – Pytorch, 67- Customtkinter, 28 – SELENIM, 17 – PLAYWIM HT, 15 – Asyncio And 67 – Recyurements. Additionally, individual cases of falsification of libraries, Py-Cord, Colorama, CapMonsterCloudClient, Pillow and BIP-Utils.
Separately top.gg, which has 170 thousand users. During the attack, the attacker managed to compromise the account of one of the developers Top.GG, by theft of browser cookies. The attacker also added three packets to the Pypi repository and registered Pypihosted.org and Pythanhosted.org domains, on which a mirror was organized for the spread of harmful dependence on packages.
Through a hacked account in github-references of the project top.gg posted changing adding the REQUREMENTS.TXT file. The file has posted a list of dependencies, in which, under the guise of loading dependence from the mirror, there was a link to the malicious clone of the package “colorama, placed placed on the