Typosquatting Campaign Targets Python Developers
On 26 March 2024, Phylum’s automated risk detection platform picked up yet another typosquat campaign targeting some attackers’ favorite targets in PyPI. As of writing, this attack still appears to be active and has come in two big waves after about a 20-hour break in between. So far, we’ve seen over 500 typosquat variations published targeting the following popular Python libraries:
First, a few hours before the automated attack started we can see the attacker experimenting with a package called schubismomv3. 11 packages and about 2.5 hours later, we can see the attacker testing a variety of malware deployment techniques. In the first 4 releases we can see the attacker experimenting with install hooks:
Then we can see them experimenting with smuggling the encrypted payload in a string that gets written to a local file and then executed:
Variations of the above are iterated on for the rest of the schubismomv3 publications. The diffs mainly show the author trying to get the Fernet dependency installed and working correctly. The payload, which we’ll explore below, remains largely the same and when decrypted (what’s the point of encryption when you ship your key with it?) reveals a pretty run-of-the-mill stealer.
