JFrog researchers have discovered 11 malicious Python packages on PyPI, the official third-party package repository for Python, which have been collectively downloaded over 41,000 times.
This is not the first time that malicious packages have been successfully introduced into online package repositories and will surely not be the last. What’s worrying the researchers is that attackers are using increasingly advanced techniques to avoid detection.
Detection evasion techniques
The malicious packages – importantpackage, important-package, pptest, ipboards, owlmoon, DiscordSafety, trrfab, 10Cent10, 10Cent11, yandex-yt, and yiffparty – steal Discord tokens, establish a reverse shell over HTTP giving the attacker full control over an infected machine, or collect user information and send it via DNS tunneling to a server run by the attackers.