checkmarx-security
Published in

checkmarx-security

Typosquatting Attack on ‘requests’- One of the Most Popular Python packages

Python’s requests package is the unofficial champion when it comes to performing HTTP requests. While there are many 3rd party packages trying to help with making HTTP requests easier, the requests package is by far one of the best user experience packages out there with nearly 50,000,000 weekly installations.

Attack

On May 31, 09:29:11, Checkmarx’s automated package analysis technology reported a suspicious activity with multiple red flags. Tal Folkman, a senior security researcher in Checkmarx’s Supply Chain Security (SCS) research team, verified the malicious activity and revealed a multi-technique campaign, which was quickly reported to PyPi’s security team less than one hour after the attack was launched.

Techniques

As defenders, we see many attackers. One thing we can say for sure is those attackers evolving and keep improving their techniques.

Typosquatting

This technique relies on human typing mistakes and it is very clear in this case the attacker used it since the multiple similar permutations for the ‘requests’ package.

StarJacking

For those of you who haven’t heard about Starjacking, check out this blogpost .

In this attack, the original ‘requests’ GitHub repository was named as the repository of the malicious packages, making them look highly popular and reliable.

Usage of the StarJacking technique in this attack

Execution Upon Usage

The malicious payload is tricky and launches upon usage, meaning you must import the malicious package and use it in order to invoke the malicious code. IMHO this was done to avoid some security scanners as they blindly install the package to see what happens without actually using it.

Disposable Account

The PyPi account OrangeAlice is clearly fake. It was created on May 27th and contains a total of 11 packages. 1 test package and 10 typosquatting attempts.

The attacker who published those packages stated in their metadata that his email is “me@kennethreitz.org”, an unvetted lie as this email actually belongs to the original maintainer of the original requests package, Kenneth Reitz.

The Impact

Crypto Miner

The malicious code executed downloads an open source cryptominer software called “xmrig” version 6.17.0 from the official project’s release page on GitHub https://github.com/xmrig/xmrig

xmrig payload on VirusTotal

Once the software is downloaded and extracted, it is executed as a subprocess, provided with the attacker’s wallet address to collect the funds

By checking the attacker’s wallet on https://supportxmr.com/ we’ve seen he has gained some traffic.

Hostname Exfiltration

In addition, the attacker send the victim’s hostname to his application hosted on serene-springs-50769[.]herokuapp[.]com

Conclusion

‘requests’ is one of the most popular Python packages and a typosquatting attack on it can cause significant damage, this time in the form of a cryptominer.

We have reported all packages to PyPI and working with them to block the attack as soon as possible. please exercise caution until the malicious packages are removed.

Package Names

IOCs

  • serene-springs-50769[.]herokuapp[.]com
  • 44ZptWtXxVhjLYGz8oKCMSW6nA9Gpc2RVYQDzyBnaM7VZkaCTGZGEANQTR3pNXK3mzZq1cVzKs1SA3H4Wibc6qVvG5xpcSY

Checkmarx Got Your Back!

Customers of Checkmarx are safe as our ahead of time cloud analysis technologies, seamlessly integrated with Checkmarx SCA solution, alerts from such accidental installation of malicious packages before it is shipped forward

--

--

--

Checkmarx empowers organizations to develop and release more secure software faster.

Recommended from Medium

Don't Make This Silly Mistake With Your Crown Sterling Data Sovereignty

Ministry of National Defense’s Former Security Officer Protects GDAC Cryptocurrency Exchange

How to Complain about Harassing Phone Calls and Messages

Complain about Harassing Phone Calls

Ontology Helps Craft IEEE Standards For Blockchain and Cryptocurrency, Broadening Industry…

{UPDATE} Zenus VR Hack Free Resources Generator

Cookie consent fiasco

Safely Surf the Web

Product Management, Security and Network learning, Day 1

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jossef Harush

Jossef Harush

More from Medium

4 Python Packages to Create Interactive Dashboards

A very British 2050s

5 Awesome API for your Projects!

10 Python Automation Scripts for Your Problems