A dormant package deal out there on the Python Package deal Index (PyPI) repository was up to date almost after two years to propagate an info stealer malware referred to as Nova Sentinel.
The package deal, named django-log-tracker, was first printed to PyPI in April 2022, based on software program provide chain safety agency Phylum, which detected an anomalous replace to the library on February 21, 2024.
Whereas the linked GitHub repository hasn’t been up to date since April 10, 2022, the introduction of a malicious replace suggests a possible compromise of the PyPI account belonging to the developer.
Django-log-tracker has been downloaded 3,866 instances so far, with the rogue model (1.0.4) downloaded 107 instances on the date it was printed. The package deal is now not out there for obtain from PyPI.
“Within the malicious replace, the attacker stripped the package deal of most of its authentic content material, leaving solely an __init__.py and instance.py file behind,” the corporate stated.
The adjustments, easy and self-explanatory, contain fetching an executable named “Updater_1.4.4_x64.exe” from a distant server (“45.88.180[.]54”), adopted by launching it utilizing the Python os.startfile() operate.
The binary, for its half, comes embedded with Nova Sentinel, a stealer malware that was first documented by Sekoia in November 2023 as being distributed within the type of pretend Electron apps on bogus websites providing online game downloads.
“What’s attention-grabbing about this specific case […] is that the assault vector gave the impression to be an tried supply-chain assault through a compromised PyPI account,” Phylum stated.
“If this had been a very common package deal, any mission with this package deal listed as a dependency with out a model specified or a versatile model specified of their dependency file would have pulled the most recent, malicious model of this package deal.”
