Cybersecurity researchers have identified malicious packages in the open source Python Package Index (PyPI) repository that deliver an information-stealing malware called The White Snake Thief on Windows systems.
The malware-containing packages are named nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111. They were uploaded by a threat actor called “WS”.
“These packages embed Base64 encoded source code of PE or other Python scripts within their setup.py files,” Fortinet FortiGuard Labs said in an analysis published last week.
“Depending on the operating system of the victim devices, the final malicious payload is released and executed when these Python packages are installed.”
While Windows systems are infected by WhiteSnake Stealer, compromised Linux hosts are provided with a Python script designed to gather information. The activity, which primarily targets Windows users, overlaps with an earlier campaign disclosed last year by JFrog and Checkmarx.
“The Windows-specific payload has been identified as a variant of the […] The WhiteSnake malware, which has an Anti-VM mechanism, communicates with a C&C server using the Tor protocol and is capable of stealing information from the victim and executing commands,” JFrog noted in April 2023.
It is also designed to capture data from web browsers, cryptocurrency wallets, and apps such as WinSCP, CoreFTP, Windscribe, Filezilla, AzireVPN, Snowflake, Steam, Discord, Signal, and Telegram.
Checkmarx is tracking the threat actor behind the campaign under the moniker PYTA31, saying the ultimate goal is to exfiltrate sensitive data and specifically that related to crypto wallets from the targeted machines.
Some of the newly released rogue packages were also observed to incorporate clipper functionality to overwrite clipboard contents with wallet addresses owned by the attacker to perform unauthorized transactions. Some others have been configured to steal data from browsers, applications, and encryption services.
Fortinet said the discovery “demonstrates the ability of a single malware author to spread numerous information-stealing malware packages in the PyPI library over time, each characterized by distinct payload complexities.”
The disclosure comes as ReversingLabs discovered two malicious packages in the npm package registry that exploit GitHub to store Base64 encrypted SSH keys stolen from the developers’ systems on which they were installed.