A new advisory by SentinelLabs and Checkmarx has joined a danger actor named ‘JuiceLedger’ to the initial recognized phishing campaign targeting Python Package Index (PyPI) people.
The repository’s Twitter account to start with explained its initial results about the marketing campaign on August 24, 2022 in a sequence of posts.
Approximately a 7 days later on, SentinelLabs is now expanding on PyPI’s discovery, indicating JuiceLedger started managing moderately low-crucial campaigns since early 2022.
These attacks relied on fraudulent Python installer purposes with ‘JuiceStealer,’ a .NET application created to steal delicate information from victims’ browsers.
In accordance to the advisory, in August 2022, JuiceLedger then engaged in poisoning open up-resource deals as a way to goal a broader viewers with the data stealer by a supply chain attack.
“The attack on PyPI in August entails a significantly extra elaborate attack chain, including phishing e-mails to PyPI builders, typo-squatting, and malicious offers supposed to infect downstream users with the JuiceStealer malware,” wrote the security scientists.
“This vector would seem to be utilized in parallel to the earlier JuiceLedger infection strategy, as related payloads were being shipped about the similar time by way of faux cryptocurrency ledger web sites.”
These new techniques raised the risk stage posed by this team substantially, claimed SentinelLabs.
“JuiceLedger operators have actively qualified PyPi bundle contributors in a phishing campaign, properly poisoning at minimum two legitimate offers with malware. Various hundred much more malicious deals are identified to have been typo-squatted.”
To mitigate the effects of these attacks, PyPI claimed that they are actively examining reviews of malicious packages and have taken down several hundred typo-squats. The repository also urged package maintainers to flip on two-factor authentication (2FA).
As for JuiceLedger, the SentinelLabs advisory stated the threat actor seems to have progressed pretty rapidly about the past several months.
“The escalation in complexity in the attack on PyPI contributors, involving a specific phishing campaign, hundreds of typo-squatted packages and account takeovers of trustworthy developers, indicates that the menace actor has time and resources at their disposal,” reads the document.
“Given the popular use of PyPI and other open up supply deals in company environments, attacks these kinds of as these are a bring about of issue and security groups are urged to evaluate the supplied indicators and take ideal mitigation actions.”
Some sections of this post are sourced from: