Source: The Hacker News Author: info@thehackernews.com (The Hacker News) URL: https://thehackernews.com/2025/03/malicious-pypi-packages-stole-cloud.html
-
ONE SENTENCE SUMMARY: A malicious campaign targeted PyPI users with fake “time” utilities to steal cloud credentials, affecting thousands of downloads before removal.
-
MAIN POINTS:
-
Cybercriminals uploaded 20 malicious Python packages to PyPI, masquerading as “time”-related utilities.
-
These packages were designed to steal sensitive cloud access tokens from affected users.
-
The campaign resulted in over 14,100 downloads before the packages were removed.
-
Some packages uploaded data to threat actor infrastructure, while others mimicked cloud client functionalities.
-
Three packages were dependencies in a popular GitHub project, increasing their reach.
-
A commit referencing a malicious package dates back to November 8, 2023.
-
Fortinet discovered thousands of suspicious packages across PyPI and npm with harmful install scripts.
-
Malicious packages often use external URLs to download payloads or communicate with command-and-control servers.
-
974 packages were linked to data exfiltration, malware downloads, and other threats.
-
Monitoring external URLs in package dependencies is critical to preventing exploitation.
-
TAKEAWAYS:
-
Attackers increasingly exploit software supply chains by injecting malicious packages into trusted repositories.
-
Developers should verify package authenticity before installation to prevent credential theft.
-
Open-source ecosystems remain vulnerable to dependency hijacking and supply chain attacks.
-
Continuous monitoring and scrutiny of external URLs in dependencies are essential for security.
-
Security firms play a vital role in identifying and mitigating emerging threats in package repositories.