Researchers have discovered over two dozen Python packages on the PyPI registry that are pushing info-stealing malware. Most of these contain obfuscated code that drops "W4SP" info-stealer on infected machines, while others make use of malware purportedly created for "educational purposes” only.

Threat actors publishing these typosquat packages have intentionally chosen names similar to known Python libraries in hopes that developers make a spelling error and inadvertently retrieve one of the malicious repositories. Some of the typosquat examples include algorithmic, colorsama, colorwin and curlapi.

Impact

Python is one of the most widely used programming languages, and its PyPI repository of software helps users find and install software developed and shared by the Python community. It appears that these packages are a more sophisticated attempt to deliver the W4SP Stealer onto Python developers’ machines.

DXC perspective

DXC recommends that Python users only use trusted and verified PyPI repositories. Regular security awareness training, coupled with the right cyber defense tools, can help developers spot malicious websites.