Checkmarx identified a new malware campaign targeting Telegram, AWS, and Alibaba Cloud users. The campaign, linked to an anonymous actor named “kohlersbtuh15,” was detected in September. Using the Python repository Pypi, the attacker employed typosquatting and starjacking tactics.
Rather than the usual method of planting malicious code in Python setup files, this attacker embedded harmful scripts deep within specific functions. This approach, described as a unique way to conceal code, aims to execute only during specific function calls, making detection challenging.
Checkmarx highlighted how this method bypasses security tools scanning for auto-executable malicious scripts. The attacker also manipulated package popularity on Pypi to increase trust and lure victims into downloading the infected packages. These tactics, Checkmarx warned, pose severe risks, potentially compromising developer accounts and infecting users with compromised software releases, causing detrimental effects across networks.
.jpg)
