Cybersecurity experts have identified a malicious campaign exploiting the Python Package Index (PyPI) repository. The attack involved impersonating popular AI models such as OpenAI's ChatGPT and Anthropic's Claude to disseminate a data-stealing malware dubbed JarkaStealer.

Malicious Packages

Two Python packages, named `gptplus` and `claudeai-eng`, were uploaded by a user under the alias "Xeroline" in November 2023. Together, they accounted for nearly 3,574 downloads before removal from PyPI.

Deceptive Functionality

These packages falsely claimed to provide access to AI APIs, specifically GPT-4 Turbo and Claude AI. However, they included harmful code aimed at deploying JarkaStealer during installation.

Technical Details

Within the `__init__.py` files, Base64-encoded scripts were used to download a Java archive (`JavaUpdater.jar`) from a GitHub repository. The scripts also attempted to install Java Runtime Environment from a Dropbox link if not present on the system.

Capabilities of JarkaStealer

This Java-based infostealer can exfiltrate sensitive data, including web browser information, system details, screenshots, and session tokens from applications like Telegram, Discord, and Steam.

Dissemination and Monetization

Once data is collected, it is archived, sent to the attacker’s server, and deleted locally. JarkaStealer has been offered as a Malware-as-a-Service (MaaS) through a Telegram channel for a price range of $20 to $50. Its source code also circulated on GitHub.

Global Impact

Data from ClickPy indicates the packages predominantly reached users in the U.S., China, India, France, Germany, and Russia, signifying a broad international impact.

Expert Insight

Leonid Bezvershenko from Kaspersky commented on this incident, emphasizing the ongoing threat posed by software supply chain attacks. He stressed the urgent need for developers to remain cautious when incorporating open-source components into their projects. This incident serves as a stark reminder of the vigilance required in managing dependencies and maintaining secure development environments.

The link has been copied!