Cybersecurity analysts have unearthed a deceitful Python bundle masquerading as a derivative of the renowned requests library, housing a Golang rendition of the Sliver command-and-control (C2) structure within an PNG image portraying the project’s insignia.
The bundle employing this cryptic method is labeled requests-darwin-lite, which prior to its removal from the Python Package Index (PyPI) repository, had amassed 417 downloads.
Requests-darwin-lite “seemed to be a derivation of the widely used requests bundle with certain notable discrepancies, chiefly the inclusion of a malicious Go binary packed into an enlarged version of the authentic requests side-bar PNG emblem,” articulated software supply chain security establishment Phylum.
The modifications have been incorporated into the bundle’s setup.py document, which has been programmed to decipher and execute a Base64-encoded directive to extract the system’s Universally Unique Identifier (UUID).
In a peculiar twist, the contagion chain proceeds solely upon a match with the identifier, suggesting that the author(s) of the bundle are targeting a specific machine for which they have previously obtained the identifier through alternate means.
This presents two potential scenarios: either it constitutes a meticulously aimed assault or it serves as a preparatory phase preceding a broader campaign.
Should the UUID correlate, requests-darwin-lite advances to retrieve data from a PNG file dubbed “requests-sidebar-large.png,” resembling the legitimate requests bundle that features a corresponding file named “requests-sidebar.png.”
The disparity lies in the fact that while the genuine emblem nested within requests possesses a file size of 300 kB, the one enclosed within requests-darwin-lite measures approximately 17 MB.
The binary data concealed within the PNG image constitutes the Golang-derived Sliver, an accessible C2 framework fashioned for utilization by security practitioners in their red team endeavors.
The precise ultimate objective of the bundle remains ambiguous, yet this development once again underscores the attractiveness of open-source ecosystems as a conduit for disseminating malicious software.
Given that a significant portion of codebases depend on open-source components, the continual infiltration of malware into npm, PyPI, and similar package repositories, coupled with the recent XZ Utils incident, underscores the necessity of systematically addressing such issues to prevent the potential disruption of substantial portions of the internet.