Path: ...!weretis.net!feeder6.news.weretis.net!feeder8.news.weretis.net!newsfeed.bofh.team!paganini.bofh.team!not-for-mail From: Wanderer Newsgroups: sci.electronics.design Subject: Warning for Python Users: PyPi supply chain attack Date: Fri, 29 Mar 2024 06:29:52 Organization: To protect and to server Message-ID: <433399@dontemail.com> Injection-Info: paganini.bofh.team; logging-data="351151"; posting-host="FnsOMLxu7Y6cXrzoUdB7vQ.user.paganini.bofh.team"; mail-complaints-to="usenet@bofh.team"; posting-account="9dIQLXBM7WM9KzA+yjdR4A"; X-Notice: Filtered by postfilter v. 0.9.3 Bytes: 1871 Lines: 12 Warning for those who use Python. pypi halted new users and projects while it fended off supply chain attack https://arstechnica.com/security/2024/03/pypi-halted-new-users-and-projects-while-it-fended-off-supply-chain-attack/ The malicious code is located within each package's setup.py file, enabling automatic execution upon installation. In addition, the malicious payload employed a technique where the setup.py file contained obfuscated code that was encrypted using the Fernet encryption module. When the package was installed, the obfuscated code was automatically executed, triggering the malicious payload. Upon execution, the malicious code within the setup.py file attempted to retrieve an additional payload from a remote server. The URL for the payload was dynamically constructed by appending the package name as a query parameter. The retrieved payload was also encrypted using the Fernet module. Once decrypted, the payload revealed an extensive info-stealer designed to harvest sensitive information from the victim's machine. The malicious payload also employed a persistence mechanism to ensure it remained active on the compromised system even after the initial execution."