Friday, November 22, 2024

Dormant PyPI Package deal Compromised to Unfold Nova Sentinel Malware

Feb 23, 2024NewsroomProvide Chain Assault / Malware

Nova Sentinel Malware

A dormant package deal out there on the Python Package deal Index (PyPI) repository was up to date almost after two years to propagate an info stealer malware referred to as Nova Sentinel.

The package deal, named django-log-tracker, was first printed to PyPI in April 2022, based on software program provide chain safety agency Phylum, which detected an anomalous replace to the library on February 21, 2024.

Whereas the linked GitHub repository hasn’t been up to date since April 10, 2022, the introduction of a malicious replace suggests a possible compromise of the PyPI account belonging to the developer.

Django-log-tracker has been downloaded 3,866 instances so far, with the rogue model (1.0.4) downloaded 107 instances on the date it was printed. The package deal is now not out there for obtain from PyPI.

Cybersecurity

“Within the malicious replace, the attacker stripped the package deal of most of its authentic content material, leaving solely an __init__.py and instance.py file behind,” the corporate stated.

The adjustments, easy and self-explanatory, contain fetching an executable named “Updater_1.4.4_x64.exe” from a distant server (“45.88.180[.]54”), adopted by launching it utilizing the Python os.startfile() operate.

The binary, for its half, comes embedded with Nova Sentinel, a stealer malware that was first documented by Sekoia in November 2023 as being distributed within the type of pretend Electron apps on bogus websites providing online game downloads.

“What’s attention-grabbing about this specific case […] is that the assault vector gave the impression to be an tried supply-chain assault through a compromised PyPI account,” Phylum stated.

“If this had been a very common package deal, any mission with this package deal listed as a dependency with out a model specified or a versatile model specified of their dependency file would have pulled the most recent, malicious model of this package deal.”

Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we submit.



Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles