Skip to content

W4SP Stealer Update—They’re Still At It

In case the threat actors haven’t figured it out yet, Phylum has a fully automated package monitoring and analysis platform that works quickly and efficiently at scale. We literally get pinged every time you publish your malware. You can keep spinning the hamster wheel, but you won’t get very far.

Published on

Dec 15, 2022

Written by

The Phylum Research Team

Share

This one will be short and sweet! Since our last W4SP Stealer update, we’ve seen at least an additional 47 packages containing W4SP Stealer published on PyPI by these threat actors. And again, they are all published under the guise of a legit package with the malicious __import__ first stage lurking somewhere in the __init__.py, the setup.py, or some other important file that gets called during installation or on first import.

Phylum has been monitoring the actions of this group, both on PyPI and elsewhere, for sometime now, gathering up information about the actors themselves and the infrastructure they use in an effort to severely hamper, if not completely stop, their continuous publication of malware into the open source ecosystem.

The Updated List

Here’s the list of packages we’ve seen them publish since our November 18th update. Since we’ve first seen activity from this group, this brings the total published package count to at least 100 packages.

  • coloram
  • urllib7
  • pyiopcs
  • go-requests
  • requests-dm
  • discordxyz
  • requests-dm
  • discordies
  • pystrdir
  • object3
  • coloriv
  • colorwed
  • pydesings
  • abilityhelper
  • requests-dm
  • pyutilsfhx
  • urllib12
  • pymaxt
  • pyfadecolor
  • urllib12
  • fastupdate
  • pyshdesings
  • xamp
  • sudo2
  • colorobject3
  • pystfule
  • b2b
  • b3b
  • b4b
  • aihttps
  • pydsecegg
  • pydpapi
  • httpxpy
  • https3
  • pyzhttp
  • https-rot
  • pywz
  • pycolorstype
  • librarie
  • https2
  • pyxhttp
  • filcolors
  • fil-colors
  • pywe
  • ConsoleColorTest
  • iua
  • superpycolortext
  • pthttp
  • filcolorsff
  • value2
  • logic2

What Now?

We at Phylum will be continuing to monitor and report this group’s malware publications. In case the threat actors haven’t figured it out yet, Phylum has a fully automated package monitoring and analysis platform that works quickly and efficiently at scale. We literally get pinged every time you publish your malware. You can keep spinning the hamster wheel, but you won’t get very far. Until next time, I’ll just keep updating this list.

Subscribe to Our Research

Subscribe to Our Research

Latest Articles

Phylum Identifies 102 Malicious npm Packages
  |   Jan 29, 2023

Phylum Identifies 102 Malicious npm Packages

102 malicious packages were recently published to npm that exfiltrat...

A Deep Dive Into poweRAT: a Newly Discovered Stealer/RAT Combo Polluting PyPI
Research   |   Jan 05, 2023

A Deep Dive Into poweRAT: a Newly Discovered Stealer/RAT Combo Polluting PyPI

Phylum uncovers new PyPI malware distributing remote access tools.

Phylum detects a series of suspicious publications on NPM…again
Malware   |   Dec 30, 2022

Phylum detects a series of suspicious publications on NPM…again

Phylum platform continues to automatically identify and block risks ...