Credit-card-stealing, backdoored packages found in Python's PyPI library hub
In brief Malicious libraries capable of lifting credit card numbers and opening backdoors on infected machines have been found in PyPI, the official third-party software repository for Python.
A package dubbed noblesse, and five variants, would, we're told, look on Windows systems for Discord authentication tokens, and browser-stored credit card numbers, and siphon them off to remote systems. Another called pytagora, and a variant, would execute arbitrary Python code provided by a remote system.
The goal, it would seem, is to steal data and cause other havoc on machines that have these dependencies installed. We've covered PyPI package security previously here.
The PyPI team also just patched a remote-code execution hole in their platform, which potentially could have been exploited to hijack the entire hub of Python libraries.
"There was a vulnerability in GitHub Actions of PyPI’s repository, which allowed a malicious pull request to execute an arbitrary command," explained an infosec researcher known as RyotaK, who found and reported the vulnerability as well as a previous flaw in Homebrew.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25406635/247089_Atlas_Hair_CVirginia_A.jpg)