Check Point Research (CPR) says it has prevented two recent code package attacks – Python-drgn and Bloxflip – in third-party repositories like PyPi.
Code package supply chain attacks involve publishing malicious packages or injecting malicious code into legitimate code packages that are distributed through online code repositories and package managers.
This attack vector leverages trusted third-party repositories and the vast ecosystems of open source third-party use.
Python-drgn on PyPi
Python-drgn is a malicious package that was uploaded to PyPI on 8 August 2022. By using the Python-drgn, the attackers can then collect private data of multiple users and can abuse it in several ways:
* Selling the information;
* Identity theft;
* Account takeover; and
* Collecting information about the company.
Bloxflip on PyPi
Another malicious package Check Point’s engines detected is Bloxflip. First, it disables Windows Defender to avoid detection. Then it downloads an executable from the Web using the Python “get” function. Finally, a sub-process is created and executes the malicious executable in the developer environment.
“Code package supply chain attacks have increased significantly in recent years,” says Lee Levi, team leader, Mail Security at Check Point. “Here, attackers publish malicious packages or inject malicious code into legitimate code packages distributed through online code repositories and package managers.
“These attacks can have serious consequences, including data compromise, operational disruption, and reputation damage,” Levi adds. “Today, we’re showing two examples of where we recently prevented code package attacks. The first one is Python-drgn on PyPi, where the attackers could collect private data of multiple users. The second one is Bloxflip, which disables Windows Defender to avoid detection.
“From an attacker’s perspective, package repositories are a reliable and scalable malware distribution channel,” Levi says. “We warn the public to exercise cyber safety by verifying the legitimacy of all source code acquired from third-parties.”