Telecom News

Malicious PyPI Packages Uses Cloudflare Tunnels to affect Firewalls

Malicious PyPI Packages Uses Cloudflare Tunnels to affect Firewalls

Malicious activities are quite common these days specially in IT sector. Every now and then we keep on getting news regarding the malicious activities on social media, apps and firewalls. One such activity is spotted, where Python Package Index (PyPI) repository was targeted where six malicious PYPI packages were deploying information stealers on developer systems.
Advertisement

These packages were discovered by Phylum between December 22 and December 31, 2022, including pyrologin, easytimestamp, discorder, discord-dev, style.py, and pythonstyles. These packages are now removed so there is nothing to worry about.
Beware of Malicious PyPI Packages

While those thinking how this malware deployment process takes place, the malicious code is concealed in setup script (setup.py) of these libraries, meaning running a “pip install” command. THe malware is designed in such a way to launch a powerShell script that can retrieve ZIP archive file, install invasive dependencies such as pynput, pydirectinput, and pyscreenshot.
Advertisement

While telling about the libraries that are created through this malware, Phylum said:

“These libraries allow one to control and monitor mouse and keyboard input and capture screen contents, saved passwords, and cryptocurrency wallet data from Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, Opera GX, and Vivaldi browsers.

The person behind it has adopted a technique to download and install clourflared, a command-line tool for Cloudflare Tunnel. The main idea behind it is to remotely access the compromised machine via a Flask-based app. The hacker can run shell commands, download remote files and execute them on the host, exfiltrate files and entire directories, and even run arbitrary python code.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button