W4SP Stealer Malware Creeps Up on Python Repository

computer malware

PyPI or the Python Package Index is a huge repository of code and software written in the Python programming language. As with every massive repository of applications and code, occasionally some bad apples make their way in there unnoticed. The case with the W4SP stealer malware is one of those.

PyPI has had instances of malicious apps sneaking onto the platform despite its good curation. W4SP is a new similar case.

A threat actor snuck the malware on the PyPI by dressing it up as a code package called "requests" - a package that ranks among the most downloaded on the platform. The fake "requests" package copies the description of the original one word for word and even slapped the contact email of the legitimate package maker in there.

The malicious package contains a script that dumps another script in a new file, then runs it. The tiny script grabs an obfuscated downloader from a URL on the web.

The downloader performs several operations in a couple of system folders, then grabs the final payload, puts it in those system folders and runs it. The ultimate payload in the W4SP stealer attack is a Trojan that is also obfuscated.

The W4SP stealer can scrape and exfiltrate Discord tokens and browser cookies, as well as scrape directories for a list of keywords, hoping to find more sensitive information.

November 3, 2022