Cybersecurity researchers have just found malicious Python package on PyPI.
According to estimates from the security research team at DevOps specialists JFrog, the eight malicious Python packages were downloaded more than 30,000 times.
The researchers’ analysis reveals that the tainted packages are designed to sniff out credit card information that’s usually auto-saved by some popular web browsers including Chrome and Edge.
PyPI has purged the packages after being alerting by JFrog. According JFrog, in addition to siphoning credit card details, the packages also scraped tokens of the Discord messaging platform, which could be used to impersonate the user.
PyPI has been at the receiving end of several campaigns to poison the repository with malicious packages. Earlier this year in June, PyPI was purged of half a dozen typosquatting packages that contained cryptomining malware, and a month before that the repository was flooded with spam packages.
In fact, a recent study revealed that almost half of the packages in PyPI have one or more security issues.
The researchers believe a lack of moderation and automated security controls in PyPI and other public software repositories makes it fairly straightforward for threat actors to inject malicious code.
JFrog suggests that developers must integrate preventive measures such as verification of library signatures in their CI/CD pipelines, along with tools that scan for suspicious code.
