JuiceLedger phishing campaign is going after developers who use PyPI

Threat actors release escalated phishing campaign that distributes information stealer malware

PyPI users targeted in particular phishing attack

Hackers behind the recently released phishing attacks target particular Python Package Index users. More details on the attacks show that operators behind the phishing campaign aimed particularly at the official third-party software repository for the programing language users.^[1] The threat actor named JuiceLedger was identified as the creator and distributor of the campaign.^[2] Cybersecurity research companies SentinelOne and Checkmarx reported that the group is a new gang that has been spreading these malware pieces using various attack methods since early 2022.^[3]

The supply chain attack on PyPI package contributors appears to be an escalation of a campaign begun earlier in the year which initially targeted potential victims through fake cryptocurrency trading applications

This is the first known phishing^[4] attack specifically targeting users of the Python package Index -PyPI. First, the attacker focused on a .NET-based malware distribution named JuiceStealer. The threat searched and stole browser and cryptocurrency-related information from infected systems.

This campaign started when JuiceLedger spread the information stealing malware via fake Python installer apps, but campaigns started in August came with the engagement in an attempt to poison Python packages on the PyPI repository. The campaign supposedly had the goal of distributing malware to a wider audience.

Campaign targeting PyPI users

This phishing attack aimed to trick people linked to the programming language tools. These phishing messages inform users about Google implementing a new variation process for packages published on PyPI. The email stated that the measure was in response to a big increase in malicious PyPI packages getting uploaded to the registry.

The warning stated that developers need to validate their code packages with Google expeditiously. This was the advised step for the avoidance of the removal from this registry. This step needs to take place before September because it will be removed promptly.

Clicking on the link redirected users to the webpage that looked exactly like the PyPI login page. Users who entered their credentials there provided the information for the JuiceLedger-controlled domain instead. The campaign, apparently, convinced at least two developers to do so. They gave full access to their accounts, and the threat attacker could poison the relatively widely used PyPI packages with malicious code.

Poisoning supply chains

The campaign was not that successful, with only two known people that are all for the trick, but once malicious code gets installed in the development environment, the information stealer malware can be launched, and Google Chrome passwords and query Chrome SQLite files get stolen.

The malware that is designed to steal details can look for logs that contain particular words like a vault if the threat actor relies on searching for cryptocurrency vaults. This information can be collected and reported to the attacker-controlled c&c servers over HTTP.

These account takeover attacks have become more and more popular and are used by threat actors as the infection vector for the poisoning of software supply chains. PyPI had started to implement mandatory two-factory authentication requirements^[5] for projects deemed critical. PyPI admins also removed hundreds of typo-squatted packages that JuiceLedger published as a broader effort to spread the info stealer malware via a popular Python code repository.