In early August, ReversingLabs identified a malicious supply chain campaign that the research team dubbed “VMConnect.” That campaign consisted of two dozen malicious Python packages posted to the Python Package Index (PyPI) open-source repository. The packages mimicked popular open-source Python tools, including vConnector, a wrapper module for pyVmomi VMware vSphere bindings; eth-tester, a collection of tools for testing Ethereum-based applications; and databases, a tool that gives asynchronous support for a range of databases.

Malicious packages on PyPI copy W4SP attacks to steal users’ credentials and crypto wallet data. This incident illustrates issues in open-source ecosystems.

Sonatype's malicious open source and malware detection systems found hundreds of malicious PyPI packages.

Follow security researchers as they uncover malicious packages on open-source registries, trace bad actors to Discord, and unveil AI-assisted code.

The FortiGuard Labs team discovered an attack embedded in three PyPI packages called ‘colorslib’, ‘httpslib’, and “libhttps”. Read our blog to learn more.

After inadvertently finding that InfoSys leaked an AWS key on PyPi I wanted to know how many other live AWS keys may be present on Python package index. After scanning every release published to PyPi I found 57 valid access keys from organisations like:

Amazon themselves 😅
Intel
Stanford, Portland and Louisiana University
The Australian Government
General Atomics fusion department
Terradata
Delta Lake
And Top Glove, the worlds largest glove manufacturer 🧤

A malicious Python file found on the PyPI repo adds backdoor and data exfiltration features to what appears to be a legitimate SDK client from SentinelOne.

Malicious packages that download ransomware binaries written in Golang published today, with more expected in the coming hours.

Here's ReversingLabs' discoveries and indicators of compromise (IOCs) for W4SP, as well as links to our YARA rule that can be used to detect the malicious Python packages in your environment. 

Last week, our automated risk detection platform alerted us to suspicious activity in dozens of newly published PyPI packages. Here's what we uncovered.

A new threat actor is spreading infostealer malware through targeted attacks on developers and fraudulent cryptotrading applications.

We used our internal automated system for monitoring open-source repositories and discovered two other malicious Python packages in the PyPI.

This week, immensely popular PyPI package 'ctx' has been compromised and altered to steal environment variables from its users. Additionally, a forked PHP project 'phpass' also suffered a repo-hijacking attack with the project tained with identical malicious payload.

Yet another malicious Python package has been spotted in the PyPI registry performing supply chain attacks to drop Cobalt Strike beacons and backdoors on Windows, Linux, and macOS systems.