The backdoor was discovered in PyPI packages ‘keep,’ ‘pyanxdns,’ and ‘api-res-py’ due to the presence of a malicious’request’ dependency in some versions.
While most versions of the ‘keep’ project utilize the legitimate Python module requests to make HTTP requests, ‘keep’ v.1.2 includes the malware’request’ (without the s).
BleepingComputer contacted the authors of each of these packages to find out if the problem was caused by a simple typo, self-sabotage, or hacked maintainer accounts.
The malicious’request’ function is used by the PyPI package ‘keep.’
Some PyPI packages, including ‘keep,’ ‘pyanxdns,’ and ‘api-res-py,’ were discovered to be employing a harmful dependency,’request.’
GitHub user duxinglin1 discovered the vulnerable versions had the misspelled’request’ dependency, rather than the valid requests’ library, back in May.
As a result, the following CVEs have been awarded to the vulnerable versions this week:
Contrary to what the advisory claims, CVE-2022-30877 – ‘keep’ version 1.2 contains the backdoor’request.’
Version 0.2 of ‘pyanxdns’ was impacted by CVE-2022-30882.
Version 0.1 of ‘api-res-py’ was impacted by CVE-2022-31313.
Despite the fact that ‘pyanxdns’ and ‘api-res-py’ are small-scale projects, the ‘keep’ package, in particular, receives over 8,000 downloads per week on average—with version 1.2 using the malicious dependency:
Tencent Onion Anti-Intrusion System found a malicious typosquat’request’ published to the PyPI registry in 2020 that pretended to be the request’s HTTP library but dropped malicious info-stealers instead.
“We discovered a malicious backdoor in this project’s version 1.2, and the request package is the malicious backdoor. Even after PyPI removed the request package, several mirror sites did not entirely remove it, thus it could still be installed “duxinglin1 is a GitHub user.
The following is the harmful code found inside the fake’request’:
A base64-encoded URL to the ‘check.so’ virus is found on line 57. Threat intelligence analyst blackorbird also discovered another URL (x.pyx), which is also displayed below, that is linked to the fake’request’ dependency:
http://dexy[.]top/request/check.so
http://dexy[.]top/x.pyx
The file ‘check.so’ contains a Remote Access Trojan (RAT), and the file ‘x.pyx’ discovered by BleepingComputer contains information-stealing malware that collects cookies and personal information from web browsers like Chrome, Firefox, Yandex, Brave, and others:
The information-stealing malware will try to collect login names and passwords from online browsers.
Threat actors can then attempt to compromise other accounts used by the developer after gaining access to user credentials, potentially leading to even more supply-chain attacks.
Is it a hoax or a genuine typo?
The discovery of a harmful dependence in several PyPI packages begs the question, “How did this happen?”
BleepingComputer contacted the authors of each of these packages to find out if the problem was caused by a simple typo, self-sabotage, or hacked maintainer accounts.
Marky Egebäck, the author and maintainer of ‘pyanxdns,’ confirmed that this is due to a typographical error rather than an account hack.
And it appears that the developers of the other two packages mistakenly introduced’request’ instead of the legitimate’requests’ owing to an innocent typing error.
“Sorry to say by a simple typo in the setup.py file,” Egebäck informed BleepingComputer, “because git history reveals that this was inserted when the installation requires was added by me.”
Since then, the developer has reuploaded a fresh version to PyPI and removed the previous version that referenced the harmful “request” dependent.
“This was a genuine blunder caused by a typo in setup.py. I don’t usually put stuff on PyPI, but I whipped this up quickly for a friend and myself. I’m not sure if he advertised it, but it was primarily for personal usage in an internal Docker project, “Egebäck agrees.
Egebäck expressed gratitude to GitHub user duxinglin1 for pointing out the dangerous reliance in his project, and explained why he hasn’t spent much time recently maintaining the contributed Python code:
“What could have been done a lot better would have been to solve this earlier,” Egebäck adds. “But I didn’t realize the severity of it at the time, and as I put very little time regretfully [nowadays] with coding, it took a long time.”
When coding programs, simple typing errors on the part of the developer can accidentally help typosquatting attacks succeed, which rely on such precise errors to corrupt the broader software supply chain.
Although the malicious’request’ dependent has been deleted from the PyPI registry in this case, anyone uses a vulnerable version of the PyPI packages and relying on a mirror to fetch dependencies risks having malicious info-stealers on their system.