W4SP Stealer Update—They’re Still At It

This one will be short and sweet! Since our last W4SP Stealer update, we’ve seen at least an additional 47 packages containing W4SP Stealer published on PyPI by these threat actors. And again, they are all published under the guise of a legit package with the malicious __import__ first stage lurking somewhere in the __init__.py, the setup.py, or some other important file that gets called during installation or on first import.

Phylum has been monitoring the actions of this group, both on PyPI and elsewhere, for sometime now, gathering up information about the actors themselves and the infrastructure they use in an effort to severely hamper, if not completely stop, their continuous publication of malware into the open source ecosystem.

The Updated List

Here’s the list of packages we’ve seen them publish since our November 18th update. Since we’ve first seen activity from this group, this brings the total published package count to at least 100 packages.

• coloram
• urllib7
• pyiopcs
• go-requests
• requests-dm
• discordxyz
• requests-dm
• discordies
• pystrdir
• object3
• coloriv
• colorwed
• pydesings
• abilityhelper
• requests-dm
• pyutilsfhx
• urllib12
• pymaxt
• pyfadecolor
• urllib12
• fastupdate
• pyshdesings
• xamp
• sudo2
• colorobject3
• pystfule
• b2b
• b3b
• b4b
• aihttps
• pydsecegg
• pydpapi
• httpxpy
• https3
• pyzhttp
• https-rot
• pywz
• pycolorstype
• librarie
• https2
• pyxhttp
• filcolors
• fil-colors
• pywe
• ConsoleColorTest
• iua
• superpycolortext
• pthttp
• filcolorsff
• value2
• logic2

What Now?

We at Phylum will be continuing to monitor and report this group’s malware publications. In case the threat actors haven’t figured it out yet, Phylum has a fully automated package monitoring and analysis platform that works quickly and efficiently at scale. We literally get pinged every time you publish your malware. You can keep spinning the hamster wheel, but you won’t get very far. Until next time, I’ll just keep updating this list.