Supply chain attacks against the Python Package Index repository last week that resulted in the compromise of at least two PyPi projects were only part of a bigger campaign aimed at spreading the JuiceStealer credential-stealing malware since late last year, according to Ars Technica.
After being initially distributed through typosquatting, JuiceStealer, which is based on the .Net programming framework, was eventually spread by developer JuiceLedger through fraudulent cryptocurrency-themed applications, a report from SentinelOne and Checkmarx found.
Malware activity was discovered to have begun last year, with continued evolution observed since then.
"JuiceLedger appears to have evolved very quickly from opportunistic, small-scale infections only a few months ago to conducting a supply chain attack on a major software distributor. The escalation in complexity in the attack on PyPI contributors, involving a targeted phishing campaign, hundreds of typosquatted packages and account takeovers of trusted developers, indicates that the threat actor has time and resources at their disposal," said researchers.