Malicious Python Package Relies on Steganography to Download Malware

Check Point Research has detected a malicious open source code package that uses steganography to hide malicious code inside image files.

The malicious package was available on PyPI, a package index widely used by Python developers. After being notified of it, PyPI’s maintainers have removed the malicious package.

The malicious package, apicolor, looks like one of many development packages available on PyPI. The header states the package is a “core lib for REST API.” The package installation script for apicolor has instructions to download additional packages (requests and judyb), along with a picture from the Web. The script then uses the steganography capabilities in judyb to uncover and execute the malicious code hidden inside the image file. The malicious code downloads malware from the Web and installs it on the user’s machine.

The impact seems minimal — Check Point Research found only three GitHub users including apicolor and judyb in their code, and a little over 80 projects containing the malicious packages. The infection method relies on people stumbling across these open source projects and installing them on their machines, “not knowing it brings in a malicious package import,” the team said.

The more important takeaway? “These findings reflect careful planning and thought by a threat actor, who proves that obfuscation techniques on PyPI have evolved,” Check Point Research wrote on the team’s blog.

Attackers are no longer just relying on the strategy to copy and rename existing packages and hide malicious code inside. Instead, they are targeting certain type of users — often those working from home, and those using corporate machines for side projects, according to the research team.