Cybersecurity researchers have uncovered a malicious campaign aimed at users of the Python Package Index (PyPI), with attackers distributing fraudulent libraries masquerading as “time” related utilities. The packages are designed to steal sensitive data, such as cloud access tokens.
The attack discovered by supply chain security firm ReversingLabs involved two distinct clusters of malicious packages totaling 20 libraries. Collectively, these packages have been downloaded more than 14,100 times.
While the first set of malicious packages was designed to upload stolen data to the attackers' infrastructure, the second group targeted cloud client functionalities for major services, including Alibaba Cloud, Amazon Web Services (AWS), and Tencent Cloud. The rogue packages were found to exfiltrate cloud secrets from unsuspecting users.
Further investigation revealed that three of the malicious packages—acloud-client, enumer-iam, and tcloud-python-test—were included as dependencies in a popular GitHub project called accesskey_tools. This project, which has been forked 42 times and starred 519 times, is used by developers for managing cloud access keys.
A commit referencing the package tcloud-python-test was made on November 8, 2023, indicating that the package had been available for download on PyPI since that time. According to download statistics from pepy.tech, tcloud-python-test alone has been downloaded 793 times to date.
The attackers behind this campaign appear to be targeting developers and cloud engineers who rely on Python packages for integrating with cloud services. All of the identified malicious packages have since been removed from PyPI, the repository's maintainers confirmed.
