This week in malware we discovered and analyzed 120 packages flagged as malicious, suspicious, or dependency confusion attacks.
As a follow-up to our coverage last week, new details emerged regarding a phishing campaign that sought to steal account credentials of PyPI maintainers and lace their packages with malware.
Phishing caught up in a larger scheme
An investigation of the malicious email campaign that plagued PyPI maintainers last week connected the phishing to part of a multi-step saga rather than a one-off trip.
SentinelOne and Checkmarx published a report yesterday that detailed how the threat actor behind the phishing upgraded from small-scale fraudulent applications and typosquatting to major-software-distributor supply chain attacks throughout the year.
Security researchers at the companies identified a threat actor group named “JuiceLedger” as the perpetrator of last week’s phishing campaign. Researchers said the PyPI supply chain attack was the most recent malicious activity in a larger campaign carried out by the group.
Reportedly, the group attempts to distribute a .NET-based malware, dubbed “JuiceStealer,” that steals credential, browser, and cryptocurrency vault information and feeds the ill-gotten goods to a domain (linkedopports[.]com) purportedly controlled by JuiceLedger.
JuiceStealer first appeared on VirusTotal in February 2022, with early iterations of the malware delivered via fake Python installer applications.
Later in the year, JuiceLedger apparently pivoted to packaging its malware in fraudulent crypto-themed applications. Researchers described these as “delivered in a similar scheme to the Python installer” and “embedded within a zip file with additional legitimate software.”
By August 2022, JuiceLedger escalated its threat efforts to supply chain attacks by targeting PyPI maintainers with poisoned open source packages.
As we covered last week, this malware attempts delivery in a sequence of a phishing email purporting a validation process which in turn steals login credentials and subsequently drops malware into the packages of unsuspecting PyPI maintainers.
Researchers traced these different methods back to JuiceLedger due to common tactics in addition to the disparate stolen information all being sent to the supposed JuiceLedger-owned domain.
Malicious packages caught by Sonatype this week
Pypi Malicious Packages
cdm-one - Malicious Package
These discoveries follow our report last week of an extensive list of discovered malware as well as a phishing campaign against PyPI maintainers.
Turn on Nexus Firewall for Automatic Protection
As a DevSecOps organization, we remain committed to identifying and halting attacks, such as those mentioned above, against open source developers and the wider software supply chain.
Users of Nexus Firewall can rest easy knowing that such malicious packages would automatically be blocked from reaching their development builds.
Nexus Firewall instances will automatically quarantine any suspicious components detected by our automated malware detection systems while a manual review by a researcher is in progress, thereby keeping your software supply chain protected from the start.
Sonatype’s world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from infections.