New Typosquatting and Repojacking Tactics Uncovered on PyPI

Written by

Security researchers have identified a concerning uptick in malicious activities infiltrating open-source platforms and code repositories. 

This trend encompasses a wide array of malicious activities, including hosting command-and-control (C2) infrastructure, storing stolen data and disseminating various forms of malware. 

In a recent discovery, ReversingLabs reverse engineer Karlo Zanki uncovered two suspicious packages on the Python Package Index (PyPI), named NP6HelperHttptest and NP6HelperHttper. These packages were found to employ DLL sideloading, a technique malicious actors use to execute code discreetly and avoid detection by security monitoring tools.

Typosquatting and repojacking, also used in the deployment of these packages, are common tactics malicious actors employ to distribute look-alike packages, aiming to deceive developers into incorporating them into their applications. 

The recent discovery of NP6HelperHttptest and NP6HelperHttper on PyPI exemplifies such tactics, exploiting similarities with legitimate NP6 packages – a marketing automation tool developed by Chapvision – to dupe unsuspecting users.

Image credit: ulkerdesign / Shutterstock.com

In this case, ReversingLabs discovered that the NP6 PyPI account wasn’t officially associated with Chapvision; rather, it belonged to a Chapvision developer’s personal account.

It remains uncertain whether the company was aware of the existence of the account, or of the NP6HelperHttp and NP6HelperConfig tools. 

However, upon notification of these packages by ReversingLabs, Chapvision confirmed that one of their employees had indeed published the helper tools. Shortly thereafter, the packages were removed from PyPI.

Further examination of the malicious packages revealed a sophisticated scheme involving executing malicious code hidden within setup.py scripts. These scripts facilitated the download and execution of both legitimate and malicious files, with the latter posing significant security risks.

Read more on these challenges: Python Package Index Targeted Again By VMConnect

“DLL sideloading is a well-documented hacking technique used by both cybercriminal and nation-state actors to load malicious code while evading detection,” Zanki explained.

“In one prominent example, the North Korea-linked Lazarus Group used DLL sideloading to replace an internal IDA Pro library, win_fw.dll, with a malicious DLL to download and execute a payload.”

ReversingLabs’ research not only shed light on individual instances of malicious activity but also suggested a broader campaign involving multiple packages and sophisticated tactics, all relying on DLL sideloading. 

“The emergence of DLL sideloading attacks is one clear example of this emerging attack vector,” reads the advisory.

“These attacks have been used for years by threat actors to increase their leverage and control within compromised environments while escaping detection, but less often seen in attacks leveraging open-source packages. This report suggests that may be changing.”

What’s hot on Infosecurity Magazine?