Threat Actors Continue to Flood the PyPI Platform with Information Stealers
Category: Malware Campaigns | Industry: Technology | Level: Strategic | Source: Phylum
Phylum Research Team observed a series of malicious uploads to PyPI since December 6th, 2022, with threat actors targeting software developers in a supply-chain attack to distribute the new information-stealing malware. In November 2022, Phylum was involved in the shutdown of a PyPI campaign distributing W4SP information-stealer. This current campaign uses a copy of the W4SP stealer, identifying itself as ANGEL stealer, Celestial Stealer, Leaf $tealer, Satan Stealer, and @skid Stealer. However as observed by Phylum, "each deployment appears to have simply tried to do a find/replace of the W4SP references in exchange for some other seemingly arbitrary name. In some cases, not all references were removed and trace strings of “W4SP” remain." Unlike in the November campaign with W4SP deployments using complex obfuscation tactics, all but one package directly drop the stealer's code into the "main.py" or the "_init_.py" files without any obfuscation or encoding. These new packages have attracted at least 2500 downloads however, they've been taken down due to Phylum's research and reporting. It is currently unknown who the threat actor behind these operations are and if the same actor is behind the two campaigns Phylum discovered.