A dormant package available in the Python Package Index (PyPI) repository was updated nearly two years later to propagate an information-stealing malware called Nova Sentinel.
The package, named django-log-trackerwas first published on PyPI in April 2022, according to software supply chain security firm Phylum, which detected an anomalous update in the library on February 21, 2024.
Although the linked GitHub repository has not been updated since April 10, 2022, the introduction of a malicious update suggests a likely compromise of the PyPI account belonging to the developer.
Django-log-tracker has been downloaded 3,866 times to date, with the rogue version (1.0.4) downloaded 107 times on release date. The package is no longer available for download from PyPI.
“In the malicious update, the attacker stripped the package of most of its original content, leaving behind only the __init__.py and example.py files,” the company said.
The simple and self-explanatory changes involve retrieving an executable called “Updater_1.4.4_x64.exe” from a remote server (“45.88.180[.]54”), followed by launching using the Python os.startfile() function.
The binary, for its part, is embedded with Nova Sentinel, a rogue malware that was first documented by Sekoia in November 2023 as being distributed in the form of fake Electron apps on fake sites offering video game downloads.
“What’s interesting about this particular case […] is that the attack vector appeared to be an attempted supply chain attack via a compromised PyPI account,” Phylum said.
“If this had been a really popular package, any project with this package listed as a dependency without a version specified or a flexible version specified in the dependencies file would have pulled the latest, most malicious version of this package.”