Credit-card-stealing, backdoored packages found in Python’s PyPI library hub

In brief Malicious libraries capable of lifting credit card numbers and opening backdoors on infected machines have been found in PyPI, the official third-party software repository for Python.

That’s according to the JFrog security research team, which documented its findings here at the end of last month.

A package dubbed noblesse, and five variants, would, we’re told, look on Windows systems for Discord authentication tokens, and browser-stored credit card numbers, and siphon them off to remote systems. Another called pytagora, and a variant, would execute arbitrary Python code provided by a remote system.

The goal, it would seem, is to steal data and cause other havoc on machines that have these dependencies installed. We’ve covered PyPI package security previously here.

The PyPI team also just patched a remote-code execution hole in their platform, which potentially could have been exploited to hijack the entire hub of Python libraries.

“There was a vulnerability in GitHub Actions of PyPI’s repository, which allowed a malicious pull request to execute an arbitrary command,” explained an infosec researcher known as RyotaK, who found and reported the vulnerability as well as a previous flaw in Homebrew.

“This allows an attacker to obtain write permission against the repository, which could lead to arbitrary code execution on pypi.org.”

In all, three bugs were found by RyotaK and are now said to be fixed:

The suspected Russian hackers behind the SolarWinds backdoor broke into the email accounts of US federal prosecutors last year, the Department of Justice said on Friday.

According to the Associated Press, 80 per cent of Microsoft email accounts used by staff in the US Attorney offices in New York were said to have been compromised, and across America, 27 US Attorney offices in total had at least one email account infiltrated by the cyber-spies.

NSO spyware found on French journo phone

French intelligence has found NSO’s spyware Pegasus on the smartphone of a French journalist working for France 24, according to reports.

An NSO staffer also told America’s NPR the Israeli software maker is apparently probing misuse of its surveillance-ware by some of its government customers, whose accounts it has temporarily suspended.

Women journalists and activists have told of how their private photos, allegedly obtained using Pegasus, have been leaked to social networks by governments seeking to intimidate and silence them.

Not strictly information security, but close: in the UK, an IT blunder caused 5,231 people and 55 companies that had pleaded not guilty, and were awaiting trial, to be recorded in a court database as having pleaded guilty. Though the error was spotted in October and rectified by mid-November before anyone was given an incorrect verdict or sentence, it may have had consequences for those going through background checks between April and October last year.

What happened was that, in handling a large number of cases being adjourned due to the coronavirus outbreak, a guilty plea was written over thousands of defendants’ not guilty pleas. The extent of the SNAFU was buried in a government report [PDF, page 29] out in July.

Anyone in need of exploit code?

Privilege-escalation exploit code has emerged here for the Windows PetitPotam security weakness. This can be useful for checking to see whether your environment is vulnerable.

Similarly, if you want to see if your systems can be exploited via the PrintNightmare bug, there’s a quick guide here.

Valentina Palmiotti has published a technical analysis of the Linux kernel’s eBPF system along with proof-of-concept exploit code for the now-patched CVE-2021-3490 make-me-root vulnerability in the filter. ®

READ MORE HERE