https://safirsoft.com The malware, which has been downloaded 41,000 times from PyPI, is amazingly hidden

Malware that infiltrates open source repositories is getting more and more sophisticated.

PyPI - an open source repository used by organizations large and small to download code libraries - hosted 11 malicious packages, downloaded 41,000 times in one of them. The latest reports of such incidents threatening the software supply chain.

JFrog, a security company that monitors PyPI and other malware repositories, said the packages were critical because of the time it took their developers to hide malicious code from network discovery. These lengths include a new mechanism that uses what is known as a reverse shell to connect agents to control servers through the Fastly Content Distribution Network. Another approach is DNS tunneling, something JFrog says has never been seen before in malware uploaded to PyPI.

Powerful Vector

JFrog's Senior Research Director wrote. In an email: “Inadvertent installation of malicious code, and as we discovered with these 11 new PyPI packages, attackers are getting more sophisticated in their approach. Advanced escape techniques used in these” malware packages” such as a new hack or even a DNS tunnel (the first case that we saw in packages uploaded to PyPI) shows the worrying trend that attackers are hiding more in their attacks on open source software.”

The researchers say that PyPI quickly removed all malicious packages once they reported to JFrog.

Read more: How a college student tricked 17,000 programmers into drawing a script. Open source repositories of malware date back to at least 2016, when a student uploaded malicious packages into PyPI, RubyGems and npm, sending messages to packages similar to widely used packages other users had previously used.

Over the course of a few months, its fraudulent code has been executed more than 45,000 times in over 17,000 separate domains, and more than half the time, its code has been granted blanket management rights. Victims ended up in .mil, a sign that people within the US military may have run his script. Advertising

In 2017, the Slovak National Security Agency reported that malicious packages had been downloaded. It includes PyPI, transforming several production programs over a three-month period, and since then, countless malware has infiltrated repositories.

Forth er ReadingSoftware has been downloaded 30,000 times From looted PyPI developer machines, JFrog found and downloaded malicious PyPI packages. More than 30,000 times, it has committed a range of sinister activities, including stealing credit card information and injecting malicious code into infected devices.

Read more: A new type of supply chain attack with catastrophic consequences is on the rise. Earlier this year, a researcher developed a new type of supply chain attack that could have devastating consequences. So-called "dependency confusion attacks" work by uploading malicious packages to public code repositories and delivering email messages similar to legal packages stored in the internal repository of Microsoft, Apple, or another major software developer. Program management software developers often prefer external code libraries over internal ones, so they download and use malicious packages instead of trusted packages.

Attacker to Victim via Fastly

It is now difficult to identify these types of attacks. The biggest improvement the researchers found was in two packages, one called the "critical package" (or alternatively "the critical package") and the other called "10Cent10" (or "10Cent11"). Packages use a Fastly CDN to hide communications between the infected machine and the control server.

Malicious code hidden in packets is causing an HTTPS request to be sent to pypi.python.org in an unrecognizable manner. From a legal request to PyPI. The requests are eventually redirected by Fastly as an HTTP request to the psec.forward.io.global.prod.fastly.net control server. The server then sends the answers through the same settings, enabling two-way communication. It quickly makes it easier for people to register their domain with this service. In many cases, registration can be done anonymously. Advertising https://safirsoft.com downloaded 41,000 times, amazingly hidden from PyPI LoadingJFrog

The PyPI infrastructure is hosted on a Fastly CDN. This hosting uses the transparent Varnish HTTP proxy for caching the communication between clients and the backend. Traffic first goes to the TLS terminal for decryption, so the Varnish proxy can check the contents of the HTTP packet. The proxy analyzes the HTTP headers based on the user's request and forwards the request to the corresponding inline according to the host header. This process is then repeated in reverse, allowing the malware to imitate two-way communication with PyPI.

As a result, the Command and Control (C2) session is encrypted and signed with a legitimate server certificate. DNS tunneling, another advanced escape method the researchers found, uses a DNS channel — usually reserved to map domain names to IP addresses — to send communications between them. Infected computer and server controller. DNS tunneling isn't new, but researchers say this is the first time they've seen the technology used in malware uploaded to PyPI. It is a sign that they are still being used to spread malware. Developers who rely on public repositories need to be very careful to make sure there are no misspellings or misleading characters in the package name they download.

The malware, which has been downloaded 41,000 times from PyPI, is amazingly hidden
the-malware-which-has-been-downloaded-41-000-times-from.html

https://safirsoft.com SolarWinds hackers have a whole new set of tricks for mass leveling attacks

SolarWinds hackers have a whole new set of tricks for mass leveling attacks

The Kremlin-backed hacking toolbox appears to be growing every month.

About a year ago, security researchers discovered one of the worst data...

https://safirsoft.com The iPhones of US diplomats have been hacked using NSO's

The iPhones of US diplomats have been hacked using NSO's "0-click" exploits.

Pegasus NSO secret malware grants full remote access to infected devices. Its merchandise is for journalists, lawyers, activists, and American allies....
https://safirsoft.com AT&T couldn't fix ohio man internet service that was down for a month

AT&T couldn't fix ohio man internet service that was down for a month

The wireless user only needed a new antenna, but AT&T couldn't figure out the problem, it failed. The Akron Beacon Journal reported today that there i...
https://safirsoft.com A ransomware attack on Planned Parenthood steals the information of 400,000 patients

A ransomware attack on Planned Parenthood steals the information of 400,000 patients

Hackers gained access to a Planned Parenthood ward in Los Angeles for eight days. ...
https://safirsoft.com Hackers Withdraw $31 Million From Cryptocurrency Service MonoX Finance

Hackers Withdraw $31 Million From Cryptocurrency Service MonoX Finance

The company says it contacted the hacker to get the money back. good luck.

China-based blockchain startup MonoX Finance said Wednesday that a...

https://safirsoft.com Thousands of AT&T customers in the US have been infected with new data-stealing malware

Thousands of AT&T customers in the US have been infected with new data-stealing malware

The malware exploits the 2017 vulnerability on the widely used network edge device. Researchers said Tuesday that attacks and attacks on internal netw...