Positive Technologies opens access to a service for detecting malicious Python packages in open-source software

In 2022, attackers started taking keen interest in open-source software.1 One of the infection methods they used was the delivery of malicious code through third-party dependencies.

Positive Technologies has created PT PyAnalysis, a tool for detecting suspicious and malicious Python packages, and has opened an early access application for using the new service. Since Python packages,2 are used by most developers, the latter will have to carefully examine external dependencies and embed such analysis mechanisms into their development process. In addition, during a study of the PyPI repository, which lasted eight months, the company's experts detected 175 malicious packages, some of them having been in the repository since 2018.

Positive Technologies experts found different types or traces of malware in the discovered packages:

  • Stealers, a malicious software for stealing user passwords (63%)
  • Backdoors, a malware that enables attackers to stealthily and remotely control the victim's device (20%)
  • Downloaders, a malware used to download malware to the victim's computer (6%)
  • Activity that may harm users, such as annoying notifications or Telegram account removal (8%)
  • Proof of concept of malware without malicious activity, destructive actions, or theft (2%)
  • Ransomware (1%)

Developers upload packages to the software being developed, which allows bad actors to attack users of that software. The study also found that the average lifetime of a malicious package before removal is 13 days. This is enough time to infect the user's computer. Most often, packages are disguised as legitimate ones and used to steal data.

Today, anyone can create a repository with an unused name on pypi.org to store Python packages. The pypi.org administrators have the Malware Checks system in place, but its detection rules are in the project source code, and attackers can bypass them easily enough. The system itself does not block attacker attempts: the signals come to administrators by email, after which they check the package code and make a decision about blocking.

Attackers use various techniques to compromise developers, impersonate legitimate packages, and perform obfuscation.3 Over time, their actions become more and more effective and invisible. To build a full-fledged system of protection against such threats, it is vital to involve experts in malicious code analysis.

The new PyAnalysis system has maximum automation, and is therefore unique: users can send the name of a Python package for verification via API and get its danger assessment (clean, suspicious, malicious). No malware analysis expertise is required. The system not only gives a clear verdict, but also explains why a package is malicious.

Maxim Dolginin, Head of Cyberthreat Data Handling, explains: "Our system for verification of Python packages from PyPI repository works as a service model: anyone can test it in their secure development process. At the testing stage, the system will be free of charge. We expect that Python developers and secure development specialists will try out PT PyAnalysis and share their feedback with us, so that we can improve the service and make it convenient for everyone."

You can also send your request at the following address.

  1. According to ReversingLabs, from January to October 2022, about 7,000 malicious packages were uploaded to PyPI, which is a 40% increase over 2021.
  2. According to the TIOBE's December report, Python is the most common programming language.
  3. Changing the code so that it looks difficult to understand, while the program retains its functions.