Some fake Python packages are typosquatting the popular requests library: dequests, fequests, gequests, rdquests, reauests, reduests, reeuests, reqhests, reqkests, requesfs, requesta, requeste.
The rogue packages are infected and contain source code that retrieves Golang-based ransomware, depending on the victim’s operating system and microarchitecture. If executed successfully, the package will encrypt data and demand a $100 ransom in cryptocurrency, according to Phylum.
Five libraries were spotted on npm acting in the same manner: discordallintsbot, discordselfbot16, discord-all-intents-bot, discors.jd and telnservrr. We don’t know for sure if this is related to the PyPI campaign but it is a sign of how widespread this threat has become.
ReversingLabs recently discovered 10 new PyPI packages pushing a modified version of the W4SP Stealer malware. This attack seems to have started around September 25, 2022, and targets developers by providing them with “free” versions of software that contain malware.
That’s not all. Recently, Israel-based security firm Legit Security demonstrated a new attack technique against the Rust repository (“rust-lang”) that abuses GitHub Actions for poisoning legitimate artifacts.Build artifacts are the files created by the build process, such as distribution packages, WAR files, logs, and reports. This means that if a malicious actor trojanized an artifact with a module, it could steal sensitive information or deliver additional payloads to all its downstream users.
“The vulnerability was found in a workflow called ‘ci.yml,'” Legit Security Noam Dotan said in his technical analysis of the problem.This exploit would allow an attacker to foist malware onto a GitHub workflow and tamper with repository branches, pull requests, issues, or releases.
A group of volunteers who maintain the Rust programming language released a patch on September 26, 2022, following responsible disclosure on September 15, 2022.