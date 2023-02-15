Clipper-type malware is not exactly new in the world of computer security, but first things first.

Well over 451 were published by unknown malicious authors unique Python packages on the official Python Package Index (PyPI) repository in an attempt to infect developer systems with malware that matches the name of a particular type that matches the name of clipper.

What are clipper malware in a nutshell

A type of malware clipper it is basically a clipboard “hijacker”, in the sense that it “carries” information from one place to another; in this case a developer who programs in Python while he is online, to understand us, could find his things in the hands of others.

Unfortunately, this type of malware is nothing new, since already in precedence (we’re talking about November 2022) had made people talk about themselves.

But what “diverts” this malware? The answer is: cryptocurrencies.

Malware clipper: let’s get to the point

Software supply chain security company Phylum, which has singled out infected bookstores, said the ongoing activity is a follow-up to a campaign initially disclosed in November 2022, the Laplas.

The initial attack vector involves the use of typosquatting (a malware created to attack Python and Java programs and consequently programmers) to mimic popular packages such as beautifulsoup, bitcoinlib, cryptofeed, matplotlib, pandas, pytorch, scikit-learn, scrapy, selenium, solana, and tensorflow, among others.

“After installation [di una di queste 450 librerie]a malicious JavaScript file is downloaded to the system and runs in the background of any web browsing session“, has stated Phylum in a report released last year. “When a developer copies a cryptocurrency address, the address is replaced in the clipboard with the attacker’s address.”

This is accomplished by creating a Chromium web browser extension in the Windows AppData folder and writing there the unauthorized Javascript and a file manifest.json which requires user permissions to access and edit the clipboard.

Needless to say (as you can guess if you chew enough of them) the targeted web browsers include will be those based on Chromium: Google Chrome, Microsoft Edge, Brave and Opera, with the malware modifying browser shortcuts to automatically load the component extension at startup using the “–load-extension” command-line option.

The latest set of Python packages exhibit a similar, if not the same modus operandi, and are designed to function as a clipboard-based crypto wallet that replaces malware; what has changed is the “obfuscation” technique used to hide the JavaScript code (yes, because many browsers are now able to identify malicious JS code).

As mentioned at the beginning when describing what a clipper is: the ultimate goal of the attacks is to hijack cryptocurrency transactions initiated by the compromised developer and redirect them to wallets controlled by the attacker instead of the recipient as should be expected.

“This attacker significantly increased their pypi footprint through automationPhylum noted. “Filling the ecosystem with packages like this will continue“.

The results coincide with a relationship by Sonatype, which found 691 malicious packages in the npm log and 49 malicious packages in PyPI during January 2023 alone.

The development of the matter once again shows the growing threat developers face from chain-of-attack attacks, with adversaries relying on methods such as typosquatting to trick users into downloading fraudulent packages.

If you program in Python, here’s how you might defend yourself

First of all, arm yourself with a good antivirus or antimalware (but if you have to use it, maybe it’s already too late…).

But before you get to using an antivirus or antimalware program, try to check the sources of what you download and try to stay in contact with the developer community so as not to run into “foreign” packages.