In a typosquatting attack this weekend, attackers uploaded a dozen malicious Python packages to the PyPi repository. It performs DDoS attacks on a Counter Strike 1.6 Server.
The Python Package Index (PyPi) is a repository of open source software packages. Developers can make use of this and incorporate them into their Python projects to easily build complex apps.
Since the repository is available for anyone’s access and anyone can upload packages unless it is announced malicious, it’s a common hunting site for threat actors.
Researchers from Checkmarx discovered the typosquatting through unusual activity. They saw that a user with the name “devfather777” published 12 packages with the same name this setting the trap for users to use the malicious version.
Typosquatting attacks involves the threat actors depending on the victims to mistakenly click on a malicious package. In the case of the discussed attack, some of the packages and their counterparts were, Gesnim (Gensim), TensorFolw (TensorFlow) etc.
The 12 packages uploaded by the user were Gesnim, TensorFolw, Kears, Seabron, tqmd, lxlm, mokc, ipaddres, ipadress, falsk, douctils and inda.
Since the software developers upload the packages through the terminal, they can easily type the name with a letter in the wrong order. The download and build functions normally and the user doesn’t discover the mistake and infects their device.
