Malicious PyPI Packages Found Exfiltrating Data and Opening Reverse Shells
While looking at some newly added PyPI packages this week one caught my eye, 10Cent10. As I opened the setup.py file for the package it was evident that it was opening a reverse shell to a remote host. Digging a bit deeper it seems that between September 26, 2021 and September 29, 2021 nine new malicious packages were published on PyPI. All the packages were published by a single user named j0j0j0. Seven of the packages exfiltrate some host data during the installation to a remote web server. The remaining two packages open up a reverse shell to a remote host.
Details of Packages
The malicious packages are 10Cent10, 10Cent11, 11Cent, 12Cent, 13Cent, 14Cent, 15Cent, 16Cent and Oksana. The table below shows the malicious packages with a summary of the malicious behaviour of each package.
None of the packages seem to be typo squatting existing PyPI packages — there are existing PyPI package names starting with tencent, but it is not clear that they are the target of typo squatting. In addition the malicious packages do not contain any additional Python code other than the code in setup.py. All of the malicious packages have very high version numbers starting with 999.0 which may indicate an attempt (or testing) of a dependency confusion attack.
The two reverse shell packages are almost identical with just a difference in the TCP port of the remote host it connects to for the reverse shell. The seven packages that exfiltrate data from the host where the install is performed, all have slight variations in the data it collects and sends to a remote web server. The next section highlights some of the data collected.
Detailed Analysis of Malicious Behaviour
For more details on how PyPI packages are used in typo squatting and supply chain attacks see my article here.
All nine malicious packages uses the setup.py file to implement the malicious code, which results in malicious behaviour during the package installation. The code (the setup.py file) for 10Cent10 is shown below. It implements a standard reverse shell in Python and there is no attempt made to obfuscate the code. All nine packages follow a similar format for the setup.py file with the malicious code implemented in CustomInstall.run().
The 12Cent package collects the hostname, current username and the directory listings of various directories on the host where it is installed. In addition, it collects the wget hosts file which may contain information regarding an organisation’s internal web servers. The malicious code also exfiltrates the content of the .dockerenv file which may contain secrets like API tokens, passwords etc. if this package was installed inside a docker container. All seven of the data exfiltration packages contains some variations of the code shown below with some packages collecting less or slightly different things.
Impact of Malicious Packages
These malicious packages have been in the PyPI repository for a limited time which limits the duration of time that someone could accidentally download and install them. The specific number of downloads for each package can be retrieved from https://pypistats.org/, but at the time of writing the 10Cent10 package was downloaded about 89 times and the Oksana package about 112 times.