Several malicious Python .whl files containing a new type of malware called “Kekw” have been discovered on PyPI (Python Package Index).
According to new data from Cyble Research and Intelligence Labs (CRIL), the Kekw malware can steal sensitive information from infected systems and perform hacking activities that can hijack cryptocurrency transactions.
“After our investigation, we found that the Python packages under control were not present in the PyPI repository, indicating that the malicious packages had been removed by the Python security team,” CRIL wrote in an advisory released Wednesday.
“Besides, [we] verified with the Python security team on 2023-05-02 and confirmed that they removed the malicious packages within 48 hours of their upload.”
Because the packages were pulled so quickly, Cyble said it’s not possible to determine how many people downloaded them.
“However, we believe the impact of the incident may have been minimal,” the advisory said.
Mike Parkin, senior technical engineer at Vulcan Cyber, commented on the news, saying the packages are a prime example of the supply chain attacks that threat actors prefer today. He also recognized the team managing the depot for their appropriate response to the situation.
Learn more about supply chain security: CISA advises on the FCC’s covered list for risk management
“It’s not practical to expect public repositories to do the work for you. While they do a lot, we can expect threat actors to continue to use this approach. The responsibility for verifying libraries in use ultimately lies with the developers,” Parkin added.
Commenting more generally, John Bambenek, principal threat hunter at Netenrich, said that while the advantage of open source software and libraries is that they rapidly increase the productivity and performance of engineering efforts software, the downside is that anyone, including threat actors, can contribute code.
“While this malicious activity can be discovered quickly, it’s not as if open source software efforts have large-scale SOCs that protect their efforts from malicious code insertion,” the security expert added.
For example, just a couple of months ago, Sonatype discovered a substantial number of malicious packages in the npm and PyPI open source registries.
This week, security experts have uncovered a concerning new malicious code known as “Kekw” hidden in Python packages. Developed by experts at Ikaroa, the code has the potential to steal data and hijack crypto, making for some major ethical and financial risks to traditional software systems.
Kekw, which is written in the Python programming language, is a malicious code that is covertly injected into legitimate Python packages. Once installed, it can be used to remotely control systems, allowing attackers to install and execute their own malicious programs. As data can be stolen and manipulated, owners of a system may not even be aware that their data has been intercepted or that their system has been controlled by a malicious actor.
Not only can Kekw intercept confidential data, it can also hijack crypto — the ownership of digital assets such as Bitcoin and Ethereum. As financial operations are frequently handled online today, the risks associated with Kekw extend far beyond data security to financial security as well.
As an established full stack tech company, Ikaroa is on the forefront of cybersecurity. In order to prevent Kekw from becoming widespread and damaging, Ikaroa’s team of developers and cybersecurity experts have identified the malicious code and developed a set of countermeasures.
Such countermeasures include regularly monitoring for potential malicious activities and developing a layered defense system for different tiers of development. The team at Ikaroa has also established a security-minded collaborative development process between its software development and operations teams. In this way, developers can better detect malicious codes, ultimately preventing any risk of data or financial theft.
In the long term, preventing malicious Python codes such as Kekw requires an understanding of the technology behind them. That’s why Ikaroa is committed to continued research and development of secure solutions and promising technologies. In this way, Ikaroa will be able to stay ahead of emerging malicious codes and support the safety of its partners and customers.