Two packages allowed a remote attacker to run malicious commands on the victim’s device.
The operators of the official repository of Python Package Index (PyPI) components have removed eight libraries (pytagora, pytagora2, noblesse, genesisbot, are, suffer, noblesse2, and noblessev2) containing malicious code.
The malicious packages were detected by the JFrog cybersecurity team and were grouped into two categories based on their malicious operations. Two packages (pytagora and pytagora2) allowed a remote attacker to run malicious commands on the victim’s device, forcing the infected system to connect to the attacker’s IP address via TCP port 9009 and then execute any malicious Python code.
The other six packages (noblesse, genesisbot, are, suffer, noblesse2, and noblessev2) worked primarily to steal data. Once installed on a computer, they stole data, focusing on general system information, Discord tokens and user payment card information (stolen from installed browsers Google Chrome, Opera, Brave, etc.).
These eight libraries have been downloaded more than 30,000 times before being removed from the PyPI repository.
Catch up on more stories here
Follow us on Facebook here