Dormant PyPI Package: Deploying NovaSentinel Crypto Stealer

[Jating]

A package listed on the Python Package Index (PyPI) repository, which has been dormant since it first published to PyPI in April 2022. The package name is,

Code:

django-log-tracker

And it's repository is https://github.com/Ragib01/django_log_tracker. Django-log-tracker has been downloaded 3,866 times to date, with the rogue version (1.0.4) downloaded 107 times on the date it was published. While the linked GitHub repository hasn't been updated since April 10, 2022, the introduction of a malicious update suggests a likely compromise of the PyPI account belonging to the developer.

So most likely their could be some machines already being compromised and stealing cryptos. Below are the crypto address that have been used by criminals.

Ethereum address

has transacted 43 times on the Ethereum blockchain. It has received a total of 0.552653110090466539 ETH $1,649.89 and has sent a total of 0.52827227363384611 ETH $1,577.10. The current value of this address is 0.00 ETH $0.00.

And the Bitcoin address

has transacted 49 times on the Bitcoin blockchain. It has received a total of 0.33228144 BTC $17,166.00 and has sent a total of 0.33228144 BTC $17,166.00 (❗) The current value of this address is 0.00000000 BTC $0.00.

https://blog.phylum.io/dormant-pypi-package-updated-to-deploy-novasentinel-stealer/

So for Python developers out there, just be careful on what packages you used which includes: libraries, frameworks, utilities, and tools.

Malwares are everywhere now and very difficult for us crypto enthusiast as we are the target by this cyber criminals.

[1714573149]

1714573149

[btc_angela]

From the way I understand it, it was deployed years ago and there was no update whatsoever. So it means that the author, maybe his account was hack already was the sole culprit of having this package laid with crypto stealer malware.

So it went under the radar for cyber investigators, nevertheless after two years it has been found.

Unfortunately it has been used already and obviously someone has already fallen for this malware as it shows the Bitcoin and Ethereum address has been deposited and then withdrawn right away.

[Dave1]

At least it has been taken down already, although damage has been done obviously.

This criminals are not going to stop and will always find a way to insert their malware to even a unsuspecting PyPi package. And even if it is open source, we shouldn't trust anything but we have to verify.

And just imagine if they can insert it to a more popular PyPi package, it could be disastrous as many will fall for it and losing their crypto to this online criminals.

[ImThour]

Thanks for sharing however I do not understand the purpose of using these libraries which aren't developed by a guy who understands the security of his own account and is reliable. I never use any library as the code is open source most of the time, you can just copy and paste the function you need from the library instead of completely relying upon it. And nowadays, I use ChatGPT and other AI Programming tools too often to create some interesting snippets or functions.