Threat actors have published yet another round of malicious packages to Python Package Index (PyPI) with the goal of delivering information-stealing malware on compromised developer machines.
Interestingly, while the malware goes by a variety of names like ANGEL Stealer, Celestial Stealer, Fade Stealer, Leaf $tealer, PURE Stealer, Satan Stealer, and @skid Stealer, cybersecurity company Phylum found them all to be copies of W4SP Stealer.
W4SP Stealer primarily functions to siphon user data, including credentials, cryptocurrency wallets, Discord tokens, and other files of interest. It’s created and published by an actor who goes by the aliases BillyV3, BillyTheGoat, and billythegoat356.
“For some reason, each deployment appears to have simply tried to do a find/replace of the W4SP references in exchange for some other seemingly arbitrary name,” the researchers said in a report published earlier this week.
The 16 rogue modules are as follows: modulesecurity, informmodule, chazz, randomtime, proxygeneratorbil, easycordey, easycordeyy, tomproxies, sys-ej, py4sync, infosys, sysuptoer, nowsys, upamonkws, captchaboy, and proxybooster.
The campaign distributing W4SP Stealer gained traction around October 2022, although indications are that it may have started as far back as August 25, 2022. Since then dozens of additional bogus packages containing W4SP Stealer have been published on PyPI by the persistent threat actors.
The latest iteration of the activity, for what it’s worth, makes no obvious to hide its nefarious intentions, except in the case of chazz, which leverages the package to download obfuscated Leaf $tealer malware hosted on the klgrth[.]io paste service.
It’s worth noting that previous versions of the attack chains have also been spotted fetching next-stage Python code directly from a public GitHub repository that then drops the credential stealer.
The surge in new copycat variants dovetails with GitHub’s takedown of the repository that held the original W4SP Stealer source code, indicating that cybercriminals likely not affiliated with the operation are also weaponizing the malware to attack PyPI users.
“Open-source ecosystems such as PyPI, NPM, and the like are huge easy targets for these kinds of actors to try and deploy this kind of malware on,” the researchers said. Their attempts will only become more frequent, more persistent, and most sophisticated.”
The software supply chain security firm, which kept tabs on the threat actor’s Discord channel, further noted that a previously flagged package under the name of pystyle was trojanized by BillyTheGoat to distribute the stealer.
The module has not only racked by thousands of downloads each month, but also started off as an innocuous utility in September 2021 to help users style console output. The malicious modifications were introduced in versions 2.1 and 2.2 released on October 28, 2022.
These two versions, which were live on PyPI for about an hour before they were pulled, are alleged to have gotten 400 downloads, BillyTheGoat told Phylum in an “unsolicited correspondence.”
“Just because a package is benign today and has shown a history of being benign for years does not mean it will remain this way,” the researchers cautioned. “Threat actors have shown tremendous patience in building legitimate packages, only to poison them with malware after they have become sufficiently popular.”
