This Week in Malware - A PyPI Phishing Follow-up Plus 120 Packages

September 02, 2022 By Aaron Linskens

4 minute read time

This week in malware we discovered and analyzed 120 packages flagged as malicious, suspicious, or dependency confusion attacks.

As a follow-up to our coverage last week, new details emerged regarding a phishing campaign that sought to steal account credentials of PyPI maintainers and lace their packages with malware.

Phishing caught up in a larger scheme

An investigation of the malicious email campaign that plagued PyPI maintainers last week connected the phishing to part of a multi-step saga rather than a one-off trip.

SentinelOne and Checkmarx published a report yesterday that detailed how the threat actor behind the phishing upgraded from small-scale fraudulent applications and typosquatting to major-software-distributor supply chain attacks throughout the year. 

Security researchers at the companies identified a threat actor group named “JuiceLedger” as the perpetrator of last week’s phishing campaign. Researchers said the PyPI supply chain attack was the most recent malicious activity in a larger campaign carried out by the group.

Reportedly, the group attempts to distribute a .NET-based malware, dubbed “JuiceStealer,” that steals credential, browser, and cryptocurrency vault information and feeds the ill-gotten goods to a domain (linkedopports[.]com) purportedly controlled by JuiceLedger. 

JuiceStealer first appeared on VirusTotal in February 2022, with early iterations of the malware delivered via fake Python installer applications.

Later in the year, JuiceLedger apparently pivoted to packaging its malware in fraudulent crypto-themed applications. Researchers described these as “delivered in a similar scheme to the Python installer” and “embedded within a zip file with additional legitimate software.”

By August 2022, JuiceLedger escalated its threat efforts to supply chain attacks by targeting PyPI maintainers with poisoned open source packages. 

As we covered last week, this malware attempts delivery in a sequence of a phishing email purporting a validation process which in turn steals login credentials and subsequently drops malware into the packages of unsuspecting PyPI maintainers.

Researchers traced these different methods back to JuiceLedger due to common tactics in addition to the disparate stolen information all being sent to the supposed JuiceLedger-owned domain.

Malicious packages caught by Sonatype this week

We caught the following this week via Sonatype’s automated malware detection system, offered as a part of Nexus Firewall:

@nitingawandi/piw-utils-internal
@snapptinc/fraud-platform
Pypi Malicious Packages
advertising-interface-lib
alchemix-v2-ui
ambire-common
antchain-sdk-abcdjb
antchain-sdk-abcdjb1
antchain-sdk-acc
antchain-sdk-account
antchain-sdk-acm
antchain-sdk-acs-iot
antchain-sdk-apigateway
antchain-sdk-arec
antchain-sdk-baas-midway
antchain-sdk-baasplus
antchain-sdk-billing
antchain-sdk-blockchain
antchain-sdk-cafecmdb
antchain-sdk-cas
antchain-sdk-cat
antchain-sdk-commercial
antchain-sdk-commercialexternal
antchain-sdk-das
antchain-sdk-dog
antchain-sdk-donpa
antchain-sdk-ebc
antchain-sdk-ent
antchain-sdk-gatewayx
antchain-sdk-goodschain
antchain-sdk-iam
antchain-sdk-industry
antchain-sdk-ldc
antchain-sdk-loadtestmock
antchain-sdk-mq
antchain-sdk-ms
antchain-sdk-mytc
antchain-sdk-notification
antchain-sdk-op
antchain-sdk-osp
antchain-sdk-pcc
antchain-sdk-propertychain
antchain-sdk-realperson
antchain-sdk-rms
antchain-sdk-saas
antchain-sdk-shuziwuliu
antchain-sdk-sp
antchain-sdk-stlr
antchain-sdk-tam
antchain-sdk-tdm
antchain-sdk-tftus
antchain-sdk-trade
antchain-sdk-trdemo
antchain-sdk-twoe
antchain-sdk-yunqing
antchain-sdk-zjlm
antchain-sdk-zolozfaceverify
antcloud1111-node-stack
ccsv
cdm-one - Malicious Package
ceshia-node-stack
contextliv
corplogger
credential-provider-env
credential-provider-ini
credential-provider-node
credential-provider-process
cryptographyy
csvv
cvs
download-youtube-subtitle
epic-ue-marketo
epic-ue-search
epic-unreal-engine
eslint-config-zpi
eslint-pluhin-flipper-one-12315
flak7
flak8
flake7
fuzywuzy
fuzywuzzy
fuzzywuzy
fuzzzywuzzy
handlebars-inline-precompile
hreading
khaledsakr
laysound
loyalty-scratch-card-ui
mcbinding
middleware-bucket-endpoint
middleware-sdk-s3
my-little-snippet
nibushidao-dsda-sa
okta-i18n-bundles
optly-components
playsoun
ptokens-erc20-vault-smart-contract
pyinstaler
raw-tool
release-utils-internal
rgparse
snappt-fraud
suqin-node-stack
suqinaatest
test-npm-mal-kfir
threadin
threeding
tslint1a
typingdna
uniswapmempool
uzzywuzzy
we3
wec3
weg3
wen3
wl-global-services
wl-layout
wl-shell-layout
yextrce
zlp-testlib

These discoveries follow our report last week of an extensive list of discovered malware as well as a phishing campaign against PyPI maintainers.

Turn on Nexus Firewall for Automatic Protection

As a DevSecOps organization, we remain committed to identifying and halting attacks, such as those mentioned above, against open source developers and the wider software supply chain.

Users of Nexus Firewall can rest easy knowing that such malicious packages would automatically be blocked from reaching their development builds.

A flowchart representation of how Nexus Firewall works

Nexus Firewall instances will automatically quarantine any suspicious components detected by our automated malware detection systems while a manual review by a researcher is in progress, thereby keeping your software supply chain protected from the start. 

Sonatype’s world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from infections.

Tags: vulnerabilities, PyPI, malware prevention, DevZone, This Week in Malware

Written by Aaron Linskens

Aaron is a technical writer on Sonatype's Developer Relations team. He works at a crossroads of technical writing, developer advocacy, software development, and open source. He aims to get developers and non-technical collaborators to work well together via experimentation, feedback, and iteration so they can build the right software.