Security researchers have identified a previously unknown group dubbed “JuiceLedger” as the threat actor behind a recent and first-known phishing campaign specifically targeting users of the Python Package Index (PyPI).
The threat actor first surfaced early this year and is focused on distributing a .NET-based malware called JuiceStealer for searching and stealing browser and cryptocurrency-related information from infected systems.
Initially, JuiceLedger distributed the information stealer via fraudulent Python installer applications. But starting in August, researchers from SentinelOne and Checkmarx observed the attacker also engaged in attempts to poison Python packages on the PyPI repository — presumably to distribute its malware to a wider audience.
