Threat actors have published yet another wave of malicious Python Package Index (PyPI) packages to deliver information-stealing malware to compromised developer machines.
Phylum, a cybersecurity company, discovered that all variants of W4SP Stealer share the names ANGEL Stealer, Celestial Stealer, Fade Stealer, Leaf $taler, PURE Stealer, Satan Stealer, and @skid Stealer.
The primary purpose of W4SP Stealer is to steal sensitive user information, including credentials, cryptocurrency wallets, Discord tokens, and other files of interest. An actor with the aliases BillyV3, BillyTheGoat, and billythegoat356 created and published it.
In a report released this week, researchers stated, “For whatever reason, each deployment appears to have attempted a simple find/replace of W4SP references with a seemingly arbitrary name.”
modulesecurity, informmodule, chazz, randomtime, proxygeneratorbil, easycordey, easycordeyy, tomproxies, sys-ej, py4sync, infosys, sysuptoer, nowsys, upamonkws, captchaboy, and proxybooster are the 16 rogue modules.
The distribution campaign for W4SP Stealer gained traction around October 2022, although evidence suggests it may have begun as early as August 25, 2022. Since then, persistent threat actors have uploaded dozens of additional bogus packages containing W4SP Stealer to the PyPI repository.
For what it’s worth, the most recent iteration of the activity does not attempt to conceal its malicious intent, except in the case of chazz, which uses the package to download obfuscated Leaf $tealer malware hosted on the klgrth[.]io paste service.
Notably, previous versions of the attack chains have been observed retrieving Python code for the subsequent stage directly from a public GitHub repository, which then drops the credential stealer.
The proliferation of new copycat variants coincides with GitHub’s removal of the repository containing the original W4SP Stealer source code, indicating that cybercriminals unaffiliated with the operation are also using the malware to target PyPI users.
“Open-source ecosystems such as PyPI, NPM, and the like are easy targets for these types of actors to attempt to deploy malware,” the researchers said. Their attempts will only increase in frequency, persistence, and sophistication.”
The software supply chain security company, which monitored the threat actor’s Discord channel, also observed that a previously flagged package known as pystyle had been trojanized by BillyTheGoat to distribute the stealer.
The module has not only amassed thousands of monthly downloads but also began as an innocuous utility in September 2021 to assist users in formatting console output. The malicious modifications were introduced in the October 28, 2022-released versions 2.1 and 2.2.
BillyTheGoat informed Phylum in “unsolicited correspondence” that these two versions, which were available on PyPI for roughly an hour before being removed, allegedly received 400 downloads.
The researchers cautioned, “Just because a package is benign today and has a history of being benign for years does not mean it will remain benign.” “Threat actors have demonstrated extraordinary patience in constructing legitimate packages, poisoning them with malware only after they have gained sufficient popularity.”
