A dormant bundle available on the Python Offer Index (PyPI) repository was current nearly following two many years to propagate an information stealer malware known as Nova Sentinel.
The bundle, named django-log-tracker, was initially printed to PyPI in April 2022, in accordance to software program supply chain security firm Phylum, which detected an anomalous update to the library on February 21, 2024.
Though the linked GitHub repository has not been up to date since April 10, 2022, the introduction of a malicious update indicates a likely compromise of the PyPI account belonging to the developer.
Django-log-tracker has been downloaded 3,866 moments to date, with the rogue edition (1..4) downloaded 107 occasions on the date it was revealed. The package is no for a longer period obtainable for down load from PyPI.
“In the malicious update, the attacker stripped the package of most of its first content material, leaving only an __init__.py and case in point.py file driving,” the corporation mentioned.
The modifications, very simple and self-explanatory, require fetching an executable named “Updater_1.4.4_x64.exe” from a distant server (“45.88.180[.]54”), adopted by launching it utilizing the Python os.startfile() purpose.
The binary, for its aspect, comes embedded with Nova Sentinel, a stealer malware that was initial documented by Sekoia in November 2023 as currently being distributed in the sort of bogus Electron applications on bogus websites offering video sport downloads.
“What’s exciting about this particular scenario […] is that the attack vector appeared to be an tried provide-chain attack by means of a compromised PyPI account,” Phylum explained.
“If this experienced been a genuinely popular deal, any task with this package shown as a dependency without the need of a model specified or a adaptable edition specified in their dependency file would have pulled the latest, destructive edition of this package.”
Discovered this report intriguing? Stick to us on Twitter and LinkedIn to read extra special content we put up.
Some parts of this article are sourced from:
thehackernews.com