Malicious Python Projects Targeting Windows and Linux Systems

Malicious Python Projects Targeting Windows and Linux Systems

ESET Research has discovered a cluster of malicious Python projects being distributed via PyPI, the official Python (programming language) package repository. The threat targets both Windows and Linux systems and usually delivers a custom backdoor with cyberespionage capabilities. It allows remote command execution and file exfiltration, and sometimes includes the ability to take screenshots. In some cases, the final payload is a variant of the infamous W4SP Stealer, which steals personal data and credentials, or a simple clipboard monitor to steal cryptocurrency, or both. ESET discovered 116 files (source distributions and wheels) across 53 projects that contain malware. Over the past year, victims downloaded these files more than 10,000 times. From May 2023 onward, the download rate was around 80 per day.

PyPI is popular among Python programmers for sharing and downloading code. Since anyone can contribute to the repository, malware – sometimes posing as legitimate, popular code libraries – can appear. “Some malicious package names do look similar to other, legitimate packages, but we believe the main way they are installed by potential victims isn’t via typosquatting, but social engineering, where they are walked through running pip to install an ‘interesting’ package for whatever reason,” says ESET researcher Marc-Étienne Léveillé, who discovered and analyzed the malicious packages.

Most of the packages had already been taken down by PyPI at the time of the publication of this research. ESET has communicated with PyPI to take action concerning those remaining; presently, all of the known malicious packages are offline.

ESET has observed the operators behind this campaign using three techniques to bundle malicious code into the Python packages. The first technique is to place a “test” module with lightly obfuscated code inside the package. The second technique is to embed PowerShell code in the setup.py file, which is typically run automatically by package managers such as pip to help install Python projects. In the third technique, the operators make no effort to include legitimate code in the package, so that only the malicious code is present, in a lightly obfuscated form.

Typically, the final payload is a custom backdoor capable of remote command execution, file exfiltration, and sometimes the ability to take screenshots. On Windows, the backdoor is implemented in Python. On Linux, the backdoor is implemented in the Go programming language. In some cases, a variant of the infamous W4SP Stealer is used instead of the backdoor, or a simple clipboard monitor is used to steal cryptocurrency, or both. The clipboard monitor targets Bitcoin, Ethereum, Monero, and Litecoin cryptocurrencies.

“Python developers should vet the code they download before installing it on their systems. We expect that such abuse of PyPI will continue and advise caution in installing code from any public software repository,” concludes Léveillé.

State-aligned APT Groups Are Increasingly Deploying Ransomware
Shaping a collaborative future in 2025 and beyond

Shaping a collaborative future in 2025 and beyond

Patrick Johansson, President of Ericsson Middle East and Africa, discusses Ericsson’s…
Juniper Networks presents Outlook 2025

Juniper Networks presents Outlook 2025

Mike Spanbauer, Senior Director of Product Marketing at Juniper Networks, predicts…
Saudi foodtech startup, Calo raises $25 million in Series B

Saudi foodtech startup, Calo raises $25 million in Series B

Calo, the Middle East’s largest foodtech startup revolutionizing personalized meal subscriptions,…
OmniOps secures $8 million from GMS Capital Ventures

OmniOps secures $8 million from GMS Capital Ventures

OmniOps, the first Saudi Arabia-based AI Infrastructure Technology provider, announced the successful…
lechef all set to transform workplace dining in the region

lechef all set to transform workplace dining in the region

Saudi-based serial entrepreneur Eugen Brikcius announced the launch of its new food…