Python Q&A site StackExchange hijacked to spread malware disguised as answers

Magnifying glass enlarging the word 'malware' in computer machine code

(Image credit: Shutterstock)

Researchers from Checkmarx have uncovered a sophisticated campaign in which attackers built credibility within the Python Package Index (PyPI) community to release crypto-draining, data-stealing malware.

Starting a little over a month ago, the attackers uploaded several non-malicious Python packages, such as ‘spl-types,’ to establish credibility and evade detection for a future attack, via the StackExchange Q&A website.

A little over a week later, the attackers released malicious versions of the packages embedding obfuscated malware within the ‘init.py’ file.

By first gaining the trust of the community, the hackers were able to deploy automatically executed malware to compromise unsuspecting victims’ systems, exfiltrating data and draining cryptocurrency wallets.

The attackers posted seemingly helpful answers on popular StackExchange threads, directing users to their malicious package by abusing the trust typical of these platforms.

A backdoor component provided the attackers with persistent remote access, which enabled long-term exploitation and greater crypto wallet drains. The attack primarily targeted those involved with Raydium and Solana cryptocurrencies.

Besides draining wallets, the malware also harvested sensitive data like browser history, saved passwords, cookies, and credit card information. It also targeted messaging apps like Telegram and Signal to capture screenshots and search for files with specific keywords relating to cryptocurrency and sensitive data.

Given the socially manipulative element of the attack, the researchers reaffirm the importance of verifying the authenticity of software packages and maintaining vigilance against potentially harmful forum content.

Moreover, basic cybersecurity measures, like not downloading unknown content, protecting online accounts with strong passwords and two-factor authentication, and keeping software updated, are vital steps in combating the spread of malware.

More from TechRadar Pro

Enhance your security with the best endpoint protection
Proofpoint email filter flaw exploited to send out millions of phishing messages
Downloaded something dodgy? It could be time to deploy the best firewall tools

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!