Cybersecurity experts have identified a malicious campaign targeting Python Package Index (PyPI) users with fake libraries disguised as “time” related utilities. These libraries, however, contain hidden functionality designed to steal sensitive data, including cloud access tokens.
ReversingLabs, a software supply chain security firm, discovered two sets of packages, totaling 20, which have been downloaded over 14,100 times. The packages include:
- snapshot-photo (2,448 downloads)
- time-check-server (316 downloads)
- time-check-server-get (178 downloads)
- time-server-analysis (144 downloads)
- time-server-analyzer (74 downloads)
- time-server-test (155 downloads)
- time-service-checker (151 downloads)
- aclient-sdk (120 downloads)
- acloud-client (5,496 downloads)
- acloud-clients (198 downloads)
- acloud-client-uses (294 downloads)
- alicloud-client (622 downloads)
- alicloud-client-sdk (206 downloads)
- amzclients-sdk (100 downloads)
- awscloud-clients-core (206 downloads)
- credential-python-sdk (1,155 downloads)
- enumer-iam (1,254 downloads)
- tclients-sdk (173 downloads)
- tcloud-python-sdks (98 downloads)
- tcloud-python-test (793 downloads)
The first set of packages is used to upload data to the threat actor’s infrastructure, while the second set implements cloud client functionalities for services like Alibaba Cloud, Amazon Web Services, and Tencent Cloud. However, these packages also exfiltrate cloud secrets using “time” related packages.
All the identified packages have been removed from PyPI. Further analysis revealed that three packages – acloud-client, enumer-iam, and tcloud-python-test – have been listed as dependencies of a GitHub project named accesskey_tools, which has been forked 42 times and starred 519 times.
A source code commit referencing tcloud-python-test was made on November 8, 2023, indicating that the package has been available for download on PyPI since then. The package has been downloaded 793 times, according to pepy.tech statistics.
Fortinet FortiGuard Labs reported discovering thousands of packages across PyPI and npm, some of which contain suspicious install scripts designed to deploy malicious code during installation or communicate with external servers.
“Suspicious URLs are a key indicator of potentially malicious packages, as they are often used to download additional payloads or establish communication with command-and-control (C&C) servers, giving attackers control over infected systems,” said Jenna Wang.
“In 974 packages, such URLs are linked to the risk of data exfiltration, further malware downloads, and other malicious actions. It is crucial to scrutinize and monitor external URLs in package dependencies to prevent exploitation.”
