Several harmful Python .whl files containing a new type of malware called “Kekw” have been discovered on PyPI (Python Package Index).
According to new data by Cyble Research and Intelligence Labs (CRIL), Kekw malware can steal sensitive information from infected systems and perform clipper activities that can hijack cryptocurrency transactions.
“Following our investigation, we found that the Python packages under scrutiny were not present in the PyPI repository, indicating that the Python security team had removed the malicious packages,” CRIL wrote in an advisory published on Wednesday.
“Additionally, [we] verified with the Python security team on 02-05-2023 and confirmed that they took down the malicious packages within 48 hours of them being uploaded.”
Because the packages were taken down so quickly, Cyble said it is not possible to determine how many people downloaded them.
“Nevertheless, we believe that the impact of the incident may have been minimal,” reads the advisory.
Mike Parkin, a senior technical engineer at Vulcan Cyber, commented on the news, saying that the packages are a prime example of the supply chain attacks that threat actors prefer nowadays. He also acknowledged the team running the repository for their proper response to the situation.
“It’s impractical to expect public repositories to do the job for you. While they do a lot, we can expect threat actors to keep using this approach. The responsibility for vetting the libraries in use ultimately falls to the developers,” Parkin added.
John Bambenek, principal threat hunter at Netenrich, commenting more generally, said that while the upside of open-source software and libraries is that it rapidly increases the productivity and output of software engineering efforts, the downside is that anybody, including threat actors, can contribute code.
“While such malicious activity can be uncovered quickly, it isn’t like open-source software efforts have large-scale SOCs protecting their efforts from malicious code insertion,” the security expert added.
Case in point, just a couple of months ago, Sonatype discovered a substantial number of malicious packages on the npm and PyPI open-source registries.