Cybersecurity researchers have recognized a malicious Python bundle that purports to be an offshoot of the favored requests library and has been discovered concealing a Golang-version of the Sliver command-and-control (C2) framework inside a PNG picture of the mission’s emblem.
The bundle using this steganographic trickery is requests-darwin-lite, which has been downloaded 417 occasions previous to it being taken down from the Python Bundle Index (PyPI) registry.
Requests-darwin-lite “gave the impression to be a fork of the ever-popular requests bundle with a number of key variations, most notably the inclusion of a malicious Go binary packed into a big model of the particular requests side-bar PNG emblem,” software program provide chain safety agency Phylum mentioned.
The modifications have been launched within the bundle’s setup.py file, which has been configured to decode and execute a Base64-encoded command to collect the system’s Universally Distinctive Identifier (UUID).
In what’s an fascinating twist, the an infection chain proceeds provided that the identifier matches a selected worth, implying that the writer(s) behind the bundle is trying to breach a particular machine to which they’re already in possession of the identifier obtained by way of another means.
This raises two prospects: Both it is a extremely focused assault or it is some kind of a testing course of forward of a broader marketing campaign.
Ought to the UUID match, the requests-darwin-lite proceeds to learn information from a PNG file named “requests-sidebar-large.png,” which bears similarities with the authentic requests bundle that ships with the same file known as “requests-sidebar.png.”
What’s totally different right here is that whereas the actual emblem embedded inside requests has a file measurement of 300 kB, the one contained inside requests-darwin-lite is round 17 MB.
The binary information hid within the PNG picture is the Golang-based Sliver, an open-source C2 framework that is designed for use by safety professionals of their crimson workforce operations.
The precise finish purpose of the bundle is at present unclear, however the growth is as soon as once more an indication that open-source ecosystems proceed to be a beautiful vector to distribute malware.
With a overwhelming majority of codebases counting on open-source code, the regular inflow of malware into npm, PyPI, and different bundle registries, to not point out the current XZ Utils episode, has highlighted the necessity for addressing points in a scientific method that in any other case can “derail giant swaths of the online.”