Information stealers are being distributed by six malicious Python Package Index packages including discord-dev, discorder, easytimestamp, pyrologin, pythonstyles, and pyrologin all of which have already been removed, The Hacker News reports.
Threat actors have concealed the malicious code within the libraries' setup script, enabling malware deployment after the execution of a "pip install" command, a report from Phylum found. Researchers noted that a PowerShell script launched by the malware facilitates ZIP archive file retrieval, invasive dependency installation, and Visual Basic Script execution.
Aside from targeting various web browsers and harvest cookies, cryptocurrency wallet data, and saved passwords, the packages also enable the installation of Cloudflare Tunnel command-line tool cloudflared, which could then facilitate the distribution the xrat trojan, also known as poweRAT.
"This thing is like a RAT on steroids. It has all the basic RAT capabilities built into a nice web GUI with a rudimentary remote desktop capability and a stealer to boot!" said Phylum.