W4SP Stealer Update—They’re Still At It
This one will be short and sweet! Since our last W4SP Stealer update, we’ve seen at least an additional 47 packages containing W4SP Stealer published on PyPI by these threat actors. And again, they are all published under the guise of a legit package with the malicious __import__
first stage lurking somewhere in the __init__.py
, the setup.py
, or some other important file that gets called during installation or on first import.
Phylum has been monitoring the actions of this group, both on PyPI and elsewhere, for sometime now, gathering up information about the actors themselves and the infrastructure they use in an effort to severely hamper, if not completely stop, their continuous publication of malware into the open source ecosystem.
The Updated List
Here’s the list of packages we’ve seen them publish since our November 18th update. Since we’ve first seen activity from this group, this brings the total published package count to at least 100 packages.
coloram
urllib7
pyiopcs
go-requests
requests-dm
discordxyz
requests-dm
discordies
pystrdir
object3
coloriv
colorwed
pydesings
abilityhelper
requests-dm
pyutilsfhx
urllib12
pymaxt
pyfadecolor
urllib12
fastupdate
pyshdesings
xamp
sudo2
colorobject3
pystfule
b2b
b3b
b4b
aihttps
pydsecegg
pydpapi
httpxpy
https3
pyzhttp
https-rot
pywz
pycolorstype
librarie
https2
pyxhttp
filcolors
fil-colors
pywe
ConsoleColorTest
iua
superpycolortext
pthttp
filcolorsff
value2
logic2
What Now?
We at Phylum will be continuing to monitor and report this group’s malware publications. In case the threat actors haven’t figured it out yet, Phylum has a fully automated package monitoring and analysis platform that works quickly and efficiently at scale. We literally get pinged every time you publish your malware. You can keep spinning the hamster wheel, but you won’t get very far. Until next time, I’ll just keep updating this list.