Malicious Campaign Targets Windows Users via Compromised Python Packages
Sonatype has revealed a harmful campaign targeting Windows users via compromised Python packages on the PyPI repository. The packages, 'flask-requests-complex', 'php-requests-complex', and 'tkinter-message-box', were found to create unauthorized Chrome Remote Desktop user accounts or steal sensitive Telegram data.
The malicious packages were published by a single PyPI account, 'ternaryternary', which has a history of suspicious activity with a total of seven questionable packages. Sonatype's automated malware detection system identified these packages, which exploit the trust users place in legitimate-looking software.
Upon investigation, it was discovered that 'flask-requests-complex' and 'php-requests-complex' add new user accounts to the 'Remote Desktop Users' group, potentially granting unauthorized access to Windows systems via Chrome Remote Desktop. Meanwhile, 'tkinter-message-box' targets Telegram Desktop clients, stealing 'tdata' cache and settings files, which may contain sensitive user information.
Sonatype's Repository Firewall ensures that users of their services remain protected from such threats. The company swiftly reported the malicious packages and account to PyPI administrators, leading to the removal of the primary offending packages.
This incident highlights the importance of robust malware detection systems in the software supply chain. Sonatype's discovery and response have mitigated potential damage to both developers and customers. Users are advised to remain vigilant and ensure they only install packages from trusted sources.
