Cybersecurity researchers have recognized a malicious Python package deal that purports to be an offshoot of the common requests library and has been discovered concealing a Golang-version of the Sliver command-and-control (C2) framework inside a PNG picture of the undertaking’s brand.
The package deal using this steganographic trickery is requests-darwin-lite, which has been downloaded 417 instances previous to it being taken down from the Python Bundle Index (PyPI) registry.
Requests-darwin-lite “appeared to be a fork of the ever-popular requests package with a few key differences, most notably the inclusion of a malicious Go binary packed into a large version of the actual requests side-bar PNG logo,” software program provide chain safety agency Phylum stated.
The modifications have been launched within the package deal’s setup.py file, which has been configured to decode and execute a Base64-encoded command to assemble the system’s Universally Distinctive Identifier (UUID).
In what’s an fascinating twist, the an infection chain proceeds provided that the identifier matches a specific worth, implying that the writer(s) behind the package deal is trying to breach a particular machine to which they’re already in possession of the identifier obtained by another means.
This raises two prospects: Both it is a extremely focused assault or it is some type of a testing course of forward of a broader marketing campaign.
Ought to the UUID match, the requests-darwin-lite proceeds to learn information from a PNG file named “requests-sidebar-large.png,” which bears similarities with the legit requests package deal that ships with the same file known as “requests-sidebar.png.”
What’s completely different right here is that whereas the actual brand embedded inside requests has a file dimension of 300 kB, the one contained inside requests-darwin-lite is round 17 MB.
The binary information hid within the PNG picture is the Golang-based Sliver, an open-source C2 framework that is designed for use by safety professionals of their crimson group operations.
The precise finish objective of the package deal is at the moment unclear, however the growth is as soon as once more an indication that open-source ecosystems proceed to be a pretty vector to distribute malware.
With a overwhelming majority of codebases counting on open-source code, the regular inflow of malware into npm, PyPI, and different package deal registries, to not point out the latest XZ Utils episode, has highlighted the necessity for addressing points in a scientific method that in any other case can “derail large swaths of the web.”