- A single typo could let hackers hijack your system using malware hidden in fake packages
- Cross-platform malware now fool even experienced developers by imitating trusted open source packing names
- Attackers utilizing the developer’s confidence with stealthy payload that Dodge Malware Protection Tools
A new supply chain attack has revealed how something as innocent as a writing error can open the door to serious cyber security threats, experts have warned.
A report from CHECKMARX claims that malicious actors use smart tricks to deceive developers to download fake packages, which can then give hackers control over their systems.
The attackers are primarily targeted at users of Colorama, a popular Python package and Colorizr, a similar tool used in JavaScript (NPM).
Misleading packages and the threat of writing errors
“This campaign is targeted at Python and NPM users on Windows and Linux via typosquatting and name-confusion attacks,” said Ariel Harush, a researcher at CHECKMARX.
The attackers use a technique called typosquatting. For example, a developer instead of “Colorama” can accidentally write “Col0rama” or “Coloramaa” and download a harmful version.
These fake packages were uploaded to the Pypi archive, which is the main source of Python libraries.
“We have found malicious Python (Pypi) packages as part of a typosquatting campaign. The malicious packages allow for remote, persistence, etc.,” said Darren Meyer, lawyer research lawyer at CheckMarx.
What makes this campaign unusual is that attackers mixed names from different ecosystems that use names from NPM World (JavaScript) to fool Python users.
This cross -platform targeting is rare and suggests a more advanced and potentially coordinated strategy.
The windows and Linux Newspeople have similar uploads and naming, but use different tools, tactics and infrastructure, which means they may not be from the same source.
Once installed, the false packages can do serious damage – to Windows systems creates malware planned tasks to maintain persistence and harvesting environmentals that may include sensitive credentials.
It also tries to disable even the best antivirus software using PowerShell commands as Set -MppeFeSence -DisableioAvProtection $ TRUE.
On Linux systems, packages such as Colorizator and Coloraiz carry coded payload to create encrypted reverse shells, communicate via platforms such as telegram and discord and exfiltrate data for services such as Pastebin.
These scripts are not performed at once; They are designed for stealth and persistence using techniques such as masking such as core processes and editing RC.Local and Cronabs for automatic execution.
Although the malicious packages have been removed from public storage sites, the threat is far from past.
Developers must be very careful when installing packages because even the best end point protection platforms are struggling with these evasive tactics. Always check the spelling and make sure the package comes from a trusted source.
CHECKMARX recommends that organizations revise all implemented and implementable packages, proactively investigate the application code, control private warehouses and block well -known malicious names.
