Malicious PyPI Package 'Pytoileur' Targets Windows and Leverages Stack Overflow for Distribution

Malicious PyPI package 'Pytoileur' targets Windows and leverages Stack Overflow for distribution, highlighting the need for package authenticity verification and security tools.
Malicious PyPI Package 'Pytoileur' Targets Windows and Leverages Stack Overflow for Distribution

Malicious PyPI Package ‘Pytoileur’ Targets Windows and Leverages Stack Overflow for Distribution

The Python Package Index (PyPI) is the most popular Python programming language software repository. It’s also a security disaster. In its latest adventure in malware, Sonatype, a software supply chain security company, discovered Pytoileur, a package designed to download and install trojanized Windows binaries capable of surveillance, achieving persistence and stealing cryptocurrency—you know, the usual.

Malware in action

This particular malicious package masquerades as an API management tool. It actually hides barely hidden code that downloads and installs trojanized binaries on Windows systems.

Pytoileur accomplishes this by hiding Base64-encoded source code within its setup.py file. After you install it—if you are idiotic enough to do so—the code decodes and executes a series of commands that download additional malicious components.

“While the base64 encoding is pretty standard in applications and doesn’t offer much in terms of masquerading malicious code, meaning in itself it’s not truly ‘suspicious’ to utilize it, the author had attempted to ‘hide’ this particular encoded string from manual human review by injecting it after a print statement, and then including a paragraphs’ length of whitespace prior to the code.” — Sonatype security researcher Jeff Thornhill

Sonatype alerted PyPI admins, and Pytoileur should no longer be available on the site. It came in two versions, 1.0.1 and 1.0.2, but they all did the same thing. It described itself as a “Cool package” in its metadata, and its webpage description touted it as an “API Management tool written in Python.”

Its malware components include trojan Windows binaries that can monitor user activity, capture sensitive information, and exfiltrate data to remote servers controlled by the attackers.

Trojan binary in action

Pytoileur’s chief poison is a binary that goes by the generic name “main.exe.” This program attempts to exfiltrate user profiles and data saved in common web browsers (Google Chrome, Brave, Firefox, etc.). Then it attempts to access local assets associated with fintech and crypto services including Binance, Coinbase, Exodus Wallet, PayPal, Payoneer, PaySafeCard, Crypto.com, and Skrill.

What makes Pytoileur different from the usual PyPI-hosted garbage is that its authors were using Stack Overflow, the popular developer question-and-answer site, to promote the malicious package. By posting seemingly legitimate questions and answers referencing Pytoileur, the attackers tried to convince people to download and install it.

You can’t trust anyone anymore!

So, what can you do about it? Well, stop me if you’ve heard this before. But, to mitigate the risk of similar attacks, you should:

  • Verify package authenticity: Always check the source and authenticity of packages before installation. Look for signs of tampering or unusual activity.
  • Use security tools: Employ automated security tools that can detect and block malicious packages. Tools like Sonatype’s Nexus and Phylum’s risk detection platform can save your systems.
  • Stay informed: Keep up to date with the latest security advisories and reports from trusted cybersecurity sources. (Like this one.)

Personally, with PyPI’s recent dismal security track record, I wouldn’t trust any code from this repository. See also: PyPI Goes Quiet After Huge Malware Attack: 500+ Typosquat Fakes Found, BIPClip: Malicious PyPI packages target crypto wallet recovery passwords. It’s just been one thing after another. Unless you know a package’s provenance, I’d steer clear of all of PyPI’s programs.