SentinelSneak: Malicious PyPI module poses as security software development kit
A malicious Python file found on the PyPI repo adds backdoor and data exfiltration features to what appears to be a legitimate SDK client from SentinelOne.
A Custom Python Backdoor for VMWare ESXi Servers
Juniper Threat Labs analyzes a backdoor installed on a compromised VMware ESXi server that can execute arbitrary commands and launch reverse shells.
W4SP continues to nest in PyPI: Same supply chain attack, different distribution method
Here's ReversingLabs' discoveries and indicators of compromise (IOCs) for W4SP, as well as links to our YARA rule that can be used to detect the malicious Python packages in your environment.
Tarfile: Exploiting the World With a 15-Year-Old Vulnerability
Trellix Advanced Research Center stumbled across a vulnerability in Python’s tarfile module. As we dug into the issue, we realized this was in fact CVE-2007-4559. The vulnerability is a path traversal attack in the extract and extractall functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the “..” sequence to filenames in a TAR archive. Over the course of our research into the impact of this vulnerability we discovered that hundreds of thousands of repositories were vulnerable to this vulnerability. While the vulnerability was originally only marked as a 6.8, we were able to confirm that in most cases an attacker can gain code execution from the file write.
Two more malicious Python packages in the PyPI
We used our internal automated system for monitoring open-source repositories and discovered two other malicious Python packages in the PyPI.
New Python-based Ransomware Targeting JupyterLab Web Notebooks
Researchers have disclosed what they say is the first-ever Python-based ransomware strain specifically designed to target exposed Jupyter notebooks, a web-based interactive computing platform that allows editing and running programs via a browser. "The attackers gained initial access via misconfigured environments, then ran a ransomware script that encrypts every file on a given path on the server and deletes itself after execution to conceal the attack," Assaf Morag, a data analyst at Aqua Security, said in a report.
SentinelSneak: Malicious PyPI module poses as security software development kit
A malicious Python file found on the PyPI repo adds backdoor and data exfiltration features to what appears to be a legitimate SDK client from SentinelOne.
A Custom Python Backdoor for VMWare ESXi Servers
Juniper Threat Labs analyzes a backdoor installed on a compromised VMware ESXi server that can execute arbitrary commands and launch reverse shells.
W4SP continues to nest in PyPI: Same supply chain attack, different distribution method
Here's ReversingLabs' discoveries and indicators of compromise (IOCs) for W4SP, as well as links to our YARA rule that can be used to detect the malicious Python packages in your environment.
Tarfile: Exploiting the World With a 15-Year-Old Vulnerability
Trellix Advanced Research Center stumbled across a vulnerability in Python’s tarfile module. As we dug into the issue, we realized this was in fact CVE-2007-4559. The vulnerability is a path traversal attack in the extract and extractall functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the “..” sequence to filenames in a TAR archive. Over the course of our research into the impact of this vulnerability we discovered that hundreds of thousands of repositories were vulnerable to this vulnerability. While the vulnerability was originally only marked as a 6.8, we were able to confirm that in most cases an attacker can gain code execution from the file write.
Two more malicious Python packages in the PyPI
We used our internal automated system for monitoring open-source repositories and discovered two other malicious Python packages in the PyPI.
New Python-based Ransomware Targeting JupyterLab Web Notebooks
Researchers have disclosed what they say is the first-ever Python-based ransomware strain specifically designed to target exposed Jupyter notebooks, a web-based interactive computing platform that allows editing and running programs via a browser. "The attackers gained initial access via misconfigured environments, then ran a ransomware script that encrypts every file on a given path on the server and deletes itself after execution to conceal the attack," Assaf Morag, a data analyst at Aqua Security, said in a report.
Two more malicious Python packages in the PyPI
We used our internal automated system for monitoring open-source repositories and discovered two other malicious Python packages in the PyPI.
New Python-based Ransomware Targeting JupyterLab Web Notebooks
Researchers have disclosed what they say is the first-ever Python-based ransomware strain specifically designed to target exposed Jupyter notebooks, a web-based interactive computing platform that allows editing and running programs via a browser. "The attackers gained initial access via misconfigured environments, then ran a ransomware script that encrypts every file on a given path on the server and deletes itself after execution to conceal the attack," Assaf Morag, a data analyst at Aqua Security, said in a report.