Malicious Python Repository Package drops Cobalt Strike on Windows, macOS & Linux systems

Public repositories of open source code are a critical part of the software supply chain that many organizations use to build applications. They are therefore an attractive target for adversaries seeking to distribute malware to a mass audience.

The latest case in point is a malicious package for distributing Cobalt Strike on Windows, macOS, and Linux systems, which was uploaded to the widely used Python Package Index (PyPI) registry for Python application developers. The “pymafka” package has a name that’s very similar to “PyKafka,” a popular Apache Kafka client for Python that has been downloaded more than 4.2 million times so far.

More than 300 users were tricked into downloading the malicious package, thinking it was the legitimate code, before researchers at Sonatype discovered the issue and reported it to the PyPI registry. It has since been removed, but applications that incorporated the malicious script remain a threat.

“The number of downloads for the malicious package include automated downloads initiated by mirrors and bots in addition to user-initiated downloads,” says Ax Sharma, security researcher at Sonatype.

According to him, downloads involving users mistakenly typing “pymafka” instead of “pykafka”  likely were fewer than 100 in number. “Intuitively, it may seem the impact from a typosquatting attack is limited to a single user making the spelling error,” he says. “But things get complicated when a developer misspells a dependency name in their library, and their library is further being used as a dependency within other third-party software projects,” he says. The users of these other applications may then automatically be infected with the typosquatted project, without having taken any action or making a mistake.

Second Typosquatting Incident in a Month

The incident marks the second typo-squatting incident involving the Apache Kafka project that Sonatype researchers uncovered this month. Earlier, they discovered a package on PyPI that had the same name as a Kafka-related Python project on GitHub called “karaspace.” Though the malicious package on PyPI had the same name as the legitimate project, it was designed to steal IP addresses, user names, and other information for fingerprinting devices on which the package was installed.

To read the complete article, visit Dark Reading.