Python Q&A site StackExchange hijacked to spread malware disguised as answers

Be wary of malware-ridden forums

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Researchers from Checkmarx have uncovered a sophisticated campaign in which attackers built credibility within the Python Package Index (PyPI) community to release crypto-draining, data-stealingmalware.

Starting a little over a month ago, the attackers uploaded several non-maliciousPythonpackages, such as ‘spl-types,’ to establish credibility and evade detection for a future attack, via the StackExchange Q&A website.

A little over a week later, the attackers released malicious versions of the packages embedding obfuscated malware within the ‘init.py’ file.

PyPI social hacking?

By first gaining the trust of the community, the hackers were able to deploy automatically executed malware to compromise unsuspecting victims’ systems, exfiltrating data and draining cryptocurrency wallets.

The attackers posted seemingly helpful answers on popular StackExchange threads, directing users to their malicious package by abusing the trust typical of these platforms.

A backdoor component provided the attackers with persistent remote access, which enabled long-term exploitation and greater crypto wallet drains. The attack primarily targeted those involved with Raydium and Solana cryptocurrencies.

Besides draining wallets, the malware also harvested sensitive data like browser history, saved passwords, cookies, and credit card information. It also targeted messaging apps like Telegram and Signal to capture screenshots and search for files with specific keywords relating to cryptocurrency and sensitive data.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Given the socially manipulative element of the attack, the researchers reaffirm the importance of verifying the authenticity of software packages and maintaining vigilance against potentially harmful forum content.

Moreover, basic cybersecurity measures, like not downloading unknown content, protecting online accounts with strong passwords and two-factor authentication, and keeping software updated, are vital steps in combating the spread of malware.

More from TechRadar Pro

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!

Rising AI threats are making firms turn back to human intelligence

Thousands of employees could be falling victim to obvious phishing scams every month

Intel Battlemage rumored for December – could new budget GPUs win over gamers neglected by Nvidia and save the Arc brand?