Cybersecurity researchers have issued a warning regarding the discovery of a new malicious Python package in the Python Package Index (PyPI) repository, aimed at cryptocurrency theft, as part of a broader malicious campaign.
This malicious package, named pytoileur, has been downloaded 316 times as of now. Notably, after PyPI maintainers delisted the previous version (1.0.1) on May 28, 2024, a new version (1.02) with the same functionality was uploaded by an author named PhilipsPY.
According to analysis by Sonatype, malicious code is embedded in the package’s setup.py script, capable of executing a Base64-encoded payload to retrieve Windows binary files from external servers. Security researcher Sharma explained that the retrieved binary file “Runtime.exe” executes via Windows PowerShell and VBScript commands.
Once installed, this binary file establishes persistence and downloads additional payloads, including spyware and malware capable of stealing data from web browsers and cryptocurrency services.
Sonatype also discovered a newly created Stack Overflow account named “EstAYA G,” which answers user questions on the platform, recommending them to install the malicious pytoileur package as a solution.
Sharma told Hacker News, “While attribution is difficult without access logs, the timing of the creation of these new accounts and the promotion of the malicious Python package suggest they may be linked to the same threat actor.”
This discovery highlights threat actors abusing trusted platforms for the dissemination of malicious software, serving as a significant warning signal for developers worldwide. Sonatype stated in a statement shared with Hacker News, “The public abuse of such a trusted platform serves as a significant warning for developers worldwide.”
Stack Overflow responded by stating that they have taken action to suspend the malicious account. A spokesperson said, “Stack Overflow’s Trust & Safety team has investigated this matter, identified and removed content that violates platform policies, and taken further action.”
Further investigation into package metadata and author history indicates overlap with previous activities involving fake Python packages like Pystob and Pywool, disclosed by Checkmarx in November 2023.
These findings once again underscore that the open-source ecosystem remains a target for threat actors aiming to disrupt multiple targets through supply chain attacks and information-stealing malware.
