On April 16, 2023, Phylum's automated risk detection platform detected a surge of publications of a library called vibranced ⚠️ Check Package on NPM. In this article, we will examine the actions taken by the attackers and their attempts to distribute Python-based malware on NPM.
Phylum has recently discovered that a package called mathjs-min ⚠️ Check Package, which was uploaded to NPM by user rizzman on March 26, contains a Discord token grabber. This package is actually a modified
Phylum’s automated platform recently detected the onyxproxy package on PyPI, a malicious package that harvests and exfiltrates credentials and other sensitive data. In many ways, this package typifies other token stealers that
tl;dr - An unsophisticated actor efficiently published about a thousand typosquatted packages of forty popular Python packages containing malicious code in a campaign that lasted two days, but actually only took about
🚨 This appears to be an ongoing attack. As of the morning of 2/24/2023 an additional 600+ packages have been published by this actor. In total we have identified 5,943 malicious
