Phylum uncovers targeted malware disguised in Python package

Phylum’s cybersecurity experts have detected a malicious payload embedded within a popular Python package on the PyPI repository. The package, named requests-darwin-lite, is an unauthorised variant of the widely-used requests library.

The requests-darwin-lite package was cleverly designed to emulate its legitimate counterpart but included a Go binary concealed within an oversized image file pretending to be a simple logo. This file – a PNG labelled as a sidebar image – unusually weighed around 17MB, a stark contrast to the normal size of approximately 300kB for the genuine version.

During the installation of the package, a specialised command class ‘PyInstall’ was triggered if the installation environment was macOS. This class executed a base64-encoded command that extracted the system’s UUID (Universal Unique Identifier).

The code checked for a specific UUID—indicating a highly targeted attack. If the UUID did not match, the installation continued without deploying the malware. This suggests the attackers were testing their deployment or had a very specific target in mind.

When the conditions were met, the oversized PNG file was processed to extract the hidden binary—which was then made executable and run in the background, effectively giving the attackers control of the machine. File analysis identified the binary as a component of OSX/Silver, a C2 (command and control) framework similar to Cobalt Strike but lesser-known and thus less likely to be detected.

Phylum noted that earlier versions of this package included the malicious installation hook and the packed binary. However, subsequent versions – identified as 2.28.0 and 2.28.1 – had dialled back on these aggressive features; the former no longer executed the binary upon installation, and the latter lacked the malicious components altogether.

The discovery prompted an immediate report to PyPI, leading to the removal of all versions of the package from the repository. This sequence of events underscores the need for vigilance in the open-source community where dependency confusion and targeted attacks are becoming increasingly sophisticated.

This incident is a critical reminder that attackers continue to evolve their methods to exploit open-source ecosystems, leveraging seemingly innocent packages to deploy malware. It calls for heightened awareness and preventive measures across the tech community to safeguard against these attacks.