DPython’s Poisoned Package: Another ‘Blank Grabber’ Malware in PyPI

Python Package Index (PyPI) is a platform that offers an extensive range of packages to simplify and enhance the development process. Malicious actors regularly upload phishing packages in the platform’s repository aimed at delivering malware to steal the victim's information, or more frequently, to compromise their environment. Recently, several packages from the PyPI were reported for being part of supply chain attacks. As part of our continuous research to improve the security of the Internet, Imperva Threat Research discovered and reported a package called ‘sellpass-sdk’ that followed a burst of other dummy malicious packages, most likely posted as tests by the same author. The package distributes “Blank-Grabber” infostealer malware and exfiltrates the victim’s data via a specific Discord Canary link. After we reported this discovery, the PyPI team quickly removed the package. Understanding the PyPI Package Metadata The malicious package was added to the PyPI repository on December 27, 2023 and remained there until January 8, when it was taken down following our report to the PyPI security team. This package seemed to be masquerading as an uninfected one named 'sellpass' (omitting the 'sdk'). The authentic 'sellpass' package serves as a Python wrapper for the API of Sellpass.io. Figure 1: PyPI sellpass packages A comparison of download figures reveals that the deceptive version was downloaded 488 times in just a single week, indicating an alarming reach in a short span…Read More