A hacking group from North Korea known for stealing cryptocurrency is believed to be behind a series of malicious Python packages targeting developers on Linux and macOS systems in an effort to compromise the software supply chain. Palo Alto’s Unit 42 researchers have linked this campaign to the APT group called “Gleaming Pisces,” also known as Citrine Sleet, with medium confidence.
This group gained notoriety for distributing the AppleJeus malware aimed at cryptocurrency traders. The attack involves multiple Python packages that decode and execute encoded code, leading to the installation of a Remote Access Trojan (RAT) on the compromised systems. North Korean hackers have a history of targeting the software supply chain to further their goals of funding weapons development and obtaining hard currency.
PyPI, a popular repository for Python libraries, has been a frequent target for malicious actors. In a recent incident, threat actors flooded the repository with fake versions of well-known packages to deceive developers. The goal of these attacks is to gain access to supply chain vendors through developers’ endpoints and ultimately reach the vendors’ customers’ endpoints.
Although the malicious packages identified by Palo Alto have been removed from PyPI, organizations that unknowingly used the infected third-party software may still be at risk. The attribution of these attacks to North Korea is based on similarities in code structure, function names, encryption keys, and execution patterns observed in previous attacks.
The malicious Python packages that were removed from PyPI include: real-ids with 893 downloads, coloredtxt with 381 downloads, beautifultext with 736 downloads, and minisound with 416 downloads. The presence of these packages highlights the ongoing threat posed by supply chain attacks and the importance of robust security measures to protect against such threats.