A new malicious Python package named onyxproxy, found on the Python Package Index (PyPI) repository, was discovered to use Unicode to evade detection and deploy an info-stealing malware. The package, uploaded on March 15, 2023, was able to harvest and exfiltrate credentials and other valuable data before being taken down.
Using Unicode variants of the same character to camouflage the malware, this method exhibits telltale signs of copy-paste efforts from other sources but creates a novel piece of obfuscated code.
This discovery highlights ongoing attempts by threat actors to find new ways to slip through string-matching-based defenses by leveraging how the Python interpreter handles Unicode to obfuscate their malware.
Software supply chain security firm Phylum reported that the package incorporates its malicious behavior in a setup script that’s packed with thousands of seemingly legitimate code strings.
As a result, even though the strings include a mix of bold and italic fonts and are still readable and can be parsed by the Python interpreter, the malware can execute its functions upon installation of the package.
In a related development, Canadian cybersecurity company PyUp revealed the discovery of three new fraudulent Python packages, aiotoolbox, asyncio-proxy, and pycolorz, that were downloaded over 1,000 times and designed to retrieve obfuscated code from a remote server.
As such, it’s essential to remain vigilant and cautious when downloading packages from PyPI and other repositories and always check the package’s author, download history, and reviews before installing them.
