MacOS devices are being targeted with PyPI backdoor to sneak into corporate networks

A seemingly benign PyPI package is hiding dangerous malware

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Security researchers have spotted a new campaign seeking to gain access to corporate networks by targeting macOS devices and employing impersonation/typosquatting on PyPI and steganography to compromise the endpoints.

Researcjers from Phylum, which first observed the attack, unnamed threat actors created what seems to be a fork of the “requests” library on the Python Package Index (PyPI).

PyPI is by far the world’s most popular Python open source code repository, and is often used as a vehicle formalwaredeployment and distribution.

Malicious intent

The library is named requests-darwin-lite and is presented as a harmless fork of the “requests” library. It comes with a 17MB PNG image that features the Requests logo. However, that image also hides the code for the Sliver C2 adversary network.

When the victims download and run the package, Sliver is installed and starts running in the background. Similar to Cobalt Strike, Sliver is a cross-platform open-source adversarial framework testing suite used for “read teaming” - a process of simulating cyber attacks. IT teams often use read teaming as a way to test the strength of their cyberdefenses, but is being increasingly abused by criminals in recent years.

Sliver’s main attributes are custom implant generation, C2 ability, post-exploitation tools and scripts, and more.

Usually, hackers will opt for Cobalt Strike, but this adversary simulation tool has been abused and compromised to such an extent that IT teams have gotten significantly better at detecting and blocking malicious activity.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

After making the discovery, Phylum reported its findings to the PyPI administration team, which removed the malicious package from the platform. The researchers believe this was a highly targeted attack, but the targets remain unknown, as well as the identity of the attackers.

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics