Dozens of PyPI packages caught dropping ‘W4SP’ info-stealing malware


Researchers have discovered over two dozen Python packages on the PyPI registry that are pushing info-stealing malware.

Most of these contain obfuscated code that drops “W4SP” info-stealer on infected machines, while others make use of malware purportedly created for “educational purposes” only.

31 typosquats drop ‘W4SP’ info-stealer

Researchers have identified over two dozen Python packages on the PyPI registry that imitate popular libraries but instead drop info-stealers after infecting machines.

The packages, listed below, are typosquats—that is, threat actors publishing these have intentionally named them similar to known Python libraries in hopes that developers attempting to fetch the real library make a spelling error and inadvertently retrieve one of the malicious ones.

Software supply chain security firm Phylum revealed 29 packages in its report published yesterday:

  1. algorithmic
  2. colorsama
  3. colorwin
  4. curlapi
  5. cypress
  6. duonet
  7. faq
  8. fatnoob
  9. felpesviadinho
  10. iao
  11. incrivelsim
  12. installpy
  13. oiu
  14. pydprotect
  15. pyhints
  16. pyptext
  17. pyslyte
  18. pystyle
  19. pystyte
  20. pyurllib
  21. requests-httpx
  22. shaasigma
  23. strinfer
  24. stringe
  25. sutiltype
  26. twyne
  27. type-color
  28. typestring
  29. typesutil

Taking ‘typesutil’ as an example, Phylum researchers explained how the threat actor was injecting malicious code via the “__import__” statement into “otherwise healthy codebase” borrowed from legitimate libraries, a theme we’ve repeatedly seen before.

PyPI typesutil package among one of the typosquats dropping W4SP infostealerPyPI package ‘typesutil’ is one of the typosquats dropping W4SP infostealer (Phylum)

“…This particular attack starts by copying existing popular libraries and simply injecting a malicious __import__ statement into an otherwise healthy codebase,” write Phylum researchers.

“The benefit this attacker gained from copying an existing legitimate package, is that because the PyPI landing page for the package is generated from the and the, they immediately have a real looking landing page with mostly working links and the whole bit. Unless thoroughly inspected, a brief glance might lead one to believe this is also a legitimate package.”

Obfuscated Python codeObfuscated Python code found in typosquats (Phylum)

In the report, the researchers explain in great detail the challenges they faced while analyzing the obfuscated code spanning over 71,000 characters which was “quite a bit of mud” they had to trudge through.

Ultimately, the researchers concluded that the malware dropped by these packages was W4SP Stealer that exfiltrates your Discord tokens, cookies and saved passwords.

All of the packages put together have been downloaded over 5,700 times based on stats, report Phylum researchers.

In August, Kaspersky Securelist researchers had also analyzed malicious PyPI packages which, much like these, were obfuscated with open source tool called Hyperion and caught dropping W4SP.

Type me once, read me twice!

Additionally, software developer and researcher Hauke Lübbers came across PyPI packages “pystile” and “threadings” containing malware that labeled itself “GyruzPIP.”

pystile package PyPI page‘Pystile’ falsely claims to be a “simple module to color… text” (BleepingComputer)

According to the researcher, however, this malware is based on an open source project called evil-pip published for “educational purposes only.”

BleepingComputer observed the code contained within these two typosquats was much simpler to analyze: with each function name clearly stating its intended purpose, e.g. stealing Chrome passwords, browser cookies, Discord tokens, and uploading all of this data to a Discord webhook.

Excerpt from pystile malicious PyPI packageExcerpt from ‘pystile’ malicious PyPI package (BleepingComputer)

Lübbers, who has reported these packages to PyPI admins, told BleepingComputer that these projects would likely need to be included as dependencies in a program for them to exhibit malicious behavior.

He pointed us to two test repositories [1, 2] purportedly created by the malware authors and also reported these to GitHub.

This week’s development marks another incident among a series of typosquatting attacks targeting developers while leveraging open source software distribution platforms like PyPI and npm.


Related posts

U.S. doubles reward for tips on North Korean-backed hackers

Sarah Henriquez

Suspected Zeus cybercrime ring leader ‘Tank’ arrested by Swiss police

Sarah Henriquez

Microsoft accounts targeted with new MFA-bypassing phishing kit

Sarah Henriquez

Leave a Comment