Skip to content

W4SP Stealer Update—Attacker now Attempting to Masquerade as Popular Orgs

Phylum's team has discovered more PyPI packages attempting to deliver W4SP stealer in ongoing supply-chain attack.

Published on

Nov 18, 2022

Written by

The Phylum Research Team

Category

Research

Share

Hello again from the Phylum Research Team! It’s been 2 weeks since we published our deep dive into the on-going W4SP Stealer supply-chain attack targeting Python developers and this is still a very active attack. The attacker has continued releasing package after package at a slow but very steady pace.

The modus operandi appears to be the same, generally speaking. The attacker copies existing repos and injects a malicious __import__ statement into the __init__.py or setup.py. The number of layers and complexity of obfuscation varies slightly from package to package, but they all appear to still have the same common end goal of getting W4SP Stealer deployed on developers’ machines.

Mozilla on PyPI⁉️

In a brazen albeit strange twist, just this morning, the attacker published a package on PyPI called mozilla under a username also registered as “Mozilla.” We’re not sure what a Python developer might expect to receive by pip installing mozilla onto their machine (perhaps a terminal-based Firefox??) but there you have it—not a typosquat, per se, but a “brandsquat” maybe? The attacker is clearly trying to pose as the organization itself, hoping to rely on brand name recognition to not raise suspicion. Either way, this particular attempt has lifted the legitimate part of the code from a package called app-graphs.

mozilla-pkg

mozilla-pkg-author

 

The Full List

You can see from some entries on the list that Mozilla isn’t the only brand name being used. There are a handful of packages released with Discord and TikTok in the names as well.

This attack has proven to be bold, steady and relentless. Here’s a full list of the additional packages we’ve uncovered since our last report:

  • mozilla
  • shortnet
  • shortnets
  • pylo-color
  • web5
  • color-random
  • simple-color
  • loy
  • auo
  • color-utility
  • tiktok-filter-api
  • Discord-Embedds
  • color-utility-test
  • pyshftuler
  • blockcypher-lib
  • discord-api-wrapper
  • ascii2art
  • crypto-payments
  • apch
  • colors-it

We at Phylum are continuing to closely watch this attack and report all these packages as soon as we see them. Be sure to stay tuned for our next update!

Impact

As of publication, the total download count for this new set of packages is about 3000 downloads.

Subscribe to Our Research

Subscribe to Our Research

Latest Articles

Disrupting a PyPI Software Supply Chain Threat Actor
Research   |   Nov 22, 2022

Disrupting a PyPI Software Supply Chain Threat Actor

Phylum disrupts software supply chain attacker attempting to constru...

W4SP Stealer Update—Attacker now Attempting to Masquerade as Popular Orgs
Research   |   Nov 18, 2022

W4SP Stealer Update—Attacker now Attempting to Masquerade as Popular Orgs

Phylum's team has discovered more PyPI packages attempting to delive...

Malicious Python Packages Replace Crypto Addresses in Developer Clipboards
Malware   |   Nov 07, 2022

Malicious Python Packages Replace Crypto Addresses in Developer Clipboards

Phylum uncovers a new campaign targeting Python developers. Malware ...