An attacker published a malicious package on PyPI named “requests-darwin-lite,” masquerading as a variant of the popular “requests” library, which contained a hidden Golang binary within an unusually large version of the legitimate “requests” logo image.
The binary’s execution was conditional, triggering only on specific system identifiers, suggesting a targeted attack or a test phase before wider distribution.
The legitimate requests package uses the cmdclass attribute in its setup.py file to customize test execution during installation, which defines a class named PyTest that inherits from TestCommand.
This class overrides several methods to configure arguments for the pytest tool, and the initialize_options method attempts to import multiprocessing and use the cpu_count function to determine the number of cores and configure parallel testing accordingly.
If importing multiprocessing fails, it defaults to running tests with one process.
The malicious requests-darwin-lite package modifies the run method of the custom PyInstall class to check if the system is macOS, and if it is, it decodes a base64-encoded string containing a command to get the system’s UUID.
It then extracts a specific portion of the output containing the UUID and compares it to a hardcoded value. If they match, it extracts a specific section of content from a file named “requests-sidebar-large.png” and writes it to a new file named “output” in a temporary directory.
It sets the permissions of “output” to executable and runs it, which suggests the malicious code embedded within the image file is only executed on macOS machines that meet a specific criteria.
An attacker created a malicious version of the “requests” package, and during installation on macOS, a script targeting the system’s UUID is decoded and executed.
If the UUID matches a predetermined value, the attacker steals data from a specific file within the package.
The requested project logo
The attacker distributed a seemingly normal PNG image (“requests-sidebar-large.png”) that was much larger than expected (17MB) and contained hidden data appended to its end.
Although a basic steganography technique, the extra data did not affect how the image was displayed.
The attacker’s code identified this file as binary data, extracted the hidden data from a specific offset within the file, and wrote it to a new file, which likely contained malicious code, which was then made executable and silently run on the victim’s machine
The modified install hook from requests-darwin-lite’s later versions
It compromised the Python package “requests-darwin-lite” by injecting a dropper code into its install hook by downloading a Go binary hidden inside a PNG image.
Analysts at Phylum suspect the binary to be OSX/Silver, a tool similar to Cobalt Strike. The attackers themselves removed the first two infected versions, the third included the dropper but not the malicious payload, and the last version appeared clean. After discovery, PyPI took down the entire package.
On-Demand Webinar to Secure the Top 3 SME Attack Vectors: [Watch for Free](https://go.cynet.com/top-3-sme-attack-vectors?utm_source=cyber_security_news&utm_medium=webinar&utm_campaign=Q2-sponsored-webinars)
