New Malicious PyPI Packages Caught Using Covert Side-Loading Tactics

New Malicious PyPI Packages Caught Using Covert Side-Loading Tactics

Cybersecurity researchers have discovered two malicious packages on the Python Package Index (PyPI) repository that were found leveraging a technique called DLL side-loading to circumvent detection by security software and run malicious code.

The packages, named NP6HelperHttptest and NP6HelperHttper, were each downloaded 537 and 166 times, respectively, before they were taken down.

“The latest discovery is an example of DLL sideloading executed by an open-source package that suggests the scope of software supply chain threats is expanding,” ReversingLabs researcher Petar Kirhmajer said in a report shared with The Hacker News.

Malicious PyPI Packages

In side-loading the DLL, the aim is to avoid detection of the malicious code, as observed previously in the case of an npm package called aabquerys that also leveraged the same technique to execute code capable of deploying a remote access trojan.

The DLL, for its part, reaches out to an attacker-controlled domain (“us.archive-ubuntu[.]top”) to fetch a GIF file that, in reality, is a piece of shellcode for a Cobalt Strike Beacon, a post-exploitation toolkit used for red teaming.

“Development organizations need to be aware of the threats related to supply chain security and open-source package repositories,” security researcher Karlo Zanki said.

“Even if they are not using open-source package repositories, that doesn’t mean that threat actors won’t abuse them to impersonate companies and their software products and tools.”