This week in malware we discovered and analyzed 120 packages flagged as malicious, suspicious, or dependency confusion attacks.
As a follow-up to our coverage last week, new details emerged regarding a phishing campaign that sought to steal account credentials of PyPI maintainers and lace their packages with malware.
Phishing caught up in a larger scheme
An investigation of the malicious email campaign that plagued PyPI maintainers last week connected the phishing to part of a multi-step saga rather than a one-off trip.
SentinelOne and Checkmarx published a report yesterday that detailed how the threat actor behind the phishing upgraded from small-scale fraudulent applications and typosquatting to major-software-distributor supply chain attacks throughout the year.
Security researchers at the companies identified a threat actor group named “JuiceLedger” as the perpetrator of last week’s phishing campaign. Researchers said the PyPI supply chain attack was the most recent malicious activity in a larger campaign carried out by the group.
Reportedly, the group attempts to distribute a .NET-based malware, dubbed “JuiceStealer,” that steals credential, browser, and cryptocurrency vault information and feeds the ill-gotten goods to a domain (linkedopports[.]com) purportedly controlled by JuiceLedger.
JuiceStealer first appeared on VirusTotal in February 2022, with early iterations of the malware delivered via fake Python installer applications.
Later in the year, JuiceLedger apparently pivoted to packaging its malware in fraudulent crypto-themed applications. Researchers described these as “delivered in a similar scheme to the Python installer” and “embedded within a zip file with additional legitimate software.”
By August 2022, JuiceLedger escalated its threat efforts to supply chain attacks by targeting PyPI maintainers with poisoned open source packages.