This week in Malware, we discovered and analyzed 120 packages flagged as malicious, suspicious, or dependency confusion attacks.
In the continuation of our coverage last weeknew details have emerged of a phishing campaign that sought to steal account credentials from PyPI maintainers and drown their packages in malware.
Phishing caught in a larger scheme
An investigation into the malicious email campaign that plagued PyPI officials last week linked the phishing to part of a multi-step saga rather than a one-time trip.
SentinelOne and Checkmarx released a report yesterday which details how the threat actor behind phishing has grown from small-scale fraudulent apps and typosquatting to large software vendor supply chain attacks throughout the year.
Corporate security researchers have identified a group of threat actors named “JuiceLedger” as the perpetrator of last week’s phishing campaign. The researchers said the PyPI supply chain attack was the most recent malicious activity in a larger campaign by the group.
Reportedly, the group is attempting to distribute .NET-based malware dubbed “JuiceStealer” that steals cryptocurrency credentials, browsers, and vaults and passes ill-gotten gains to a domain (linkedopports)[.]com) allegedly controlled by JuiceLedger.
JuiceStealer first appeared on VirusTotal in February 2022, with early iterations of the malware delivered via fake Python installer apps.
Later that year, JuiceLedger apparently turned to packaging its malware into rogue crypto-themed apps. The researchers described them as “delivered in a scheme similar to the Python installer” and “packaged in a zip file with additional legitimate software.”
In August 2022, JuiceLedger stepped up its supply chain attack threat efforts by targeting PyPI maintainers with poisoned open source packages.