This article is more than 1 year old
Credit-card-stealing, backdoored packages found in Python's PyPI library hub
Plus: SolarWinds cyber-spies hit US prosecutors' email systems, and more
In brief Malicious libraries capable of lifting credit card numbers and opening backdoors on infected machines have been found in PyPI, the official third-party software repository for Python.
That's according to the JFrog security research team, which documented its findings here at the end of last month.
A package dubbed noblesse, and five variants, would, we're told, look on Windows systems for Discord authentication tokens, and browser-stored credit card numbers, and siphon them off to remote systems. Another called pytagora, and a variant, would execute arbitrary Python code provided by a remote system.
The goal, it would seem, is to steal data and cause other havoc on machines that have these dependencies installed. We've covered PyPI package security previously here.
The PyPI team also just patched a remote-code execution hole in their platform, which potentially could have been exploited to hijack the entire hub of Python libraries.
"There was a vulnerability in GitHub Actions of PyPI’s repository, which allowed a malicious pull request to execute an arbitrary command," explained an infosec researcher known as RyotaK, who found and reported the vulnerability as well as a previous flaw in Homebrew.
"This allows an attacker to obtain write permission against the repository, which could lead to arbitrary code execution on pypi.org."
In all, three bugs were found by RyotaK and are now said to be fixed:
- Vulnerability in Legacy Document Deletion on PyPI
- Vulnerability in Role Deletion on PyPI
- Vulnerability in GitHub Actions workflow for PyPI
According to the Associated Press, 80 per cent of Microsoft email accounts used by staff in the US Attorney offices in New York were said to have been compromised, and across America, 27 US Attorney offices in total had at least one email account infiltrated by the cyber-spies.
NSO spyware found on journo phones
An NSO staffer also told America's NPR the Israeli software maker is apparently probing misuse of its surveillance-ware by some of its government customers, whose accounts it has temporarily suspended.
Women journalists and activists have told of how their private photos, allegedly obtained using Pegasus, have been leaked to social networks by governments seeking to intimidate and silence them.
Not strictly information security, but close: in the UK, an IT blunder caused 5,231 people and 55 companies that had pleaded not guilty, and were awaiting trial, to be recorded in a court database as having pleaded guilty. Though the error was spotted in October and rectified by mid-November before anyone was given an incorrect verdict or sentence, it may have had consequences for those going through background checks between April and October last year.
What happened was that, in handling a large number of cases being adjourned due to the coronavirus outbreak, a guilty plea was written over thousands of defendants' not guilty pleas. The extent of the SNAFU was buried in a government report [PDF, page 29] out in July.
Anyone in need of exploit code?
Similarly, if you want to see if your systems can be exploited via the PrintNightmare bug, there's a quick guide here.
Valentina Palmiotti has published a technical analysis of the Linux kernel's eBPF system along with proof-of-concept exploit code for the now-patched CVE-2021-3490 make-me-root vulnerability in the filter. ®