Malicious Python libraries targeting Linux servers removed from PyPI

Security firm scanned over one million PyPI packages and found three backdoored libraries.
Written by Catalin Cimpanu, Contributor
Malicious PyPI packages
Image: ReversingLabs

A security firm found three malicious Python libraries uploaded on the official Python Package Index (PyPI) that contained a hidden backdoor which would activate when the libraries were installed on Linux systems.

The three packages -- named libpeshnx, libpesh, and libari -- were authored by the same user (named ruri12) and had been available for download from PyPI for almost 20 months, since November 2017, before the packages were discovered earlier this month by security reserchers from ReversingLabs.

The PyPI team removed the packages on July 9, the same day ReversingLabs notified the PyPI repo maintainers about their findings.

None of the three packages ever listed a description, so it's impossible to tell what was their purpose. However, PyPI stats showed that the packages were being regularly downloaded, with tens of monthly installations for each.

Monthly downloads for one of the malicious libraries

Monthly downloads for one of the malicious libraries

Image: ReversingLabs

As for the malicious code, it was a simple backdoor mechanism that only activated when installed on Linux systems.

"Once the package is installed via Python package manager it waits for it to be called by the user," ReversingLabs Chief Software Architect and Founder Tomislav Pericin told ZDNet in an interview.

"If run by the user, the backdoor becomes active," he said. "There is also an installation procedure that makes running the backdoor more automated."

ReversingLabs says the backdoor was an interactive shell that attackers could have used to connect and run commands on computers that installed the three libraries.

At the time ReversingLabs found the three libraries, the backdoor was only active in the libpeshnx library, but the other two packages (libpesh and libari) contained "references to the malicious function without any code," suggesting the author had either removed it, or was preparing to roll out backdoored versions of the other two libraries as well.

As for the developer behind the three malicious packages, Pericin was pretty clear on what was happening.

"The account wasn't compromised," he told ZDNet. "The user was uploading packages with clear intent to trick developers into including it in their code. Once run that code could become the source of the compromise."

Pericin's team found the malicious libraries after they scanned the entire PyPi repository for suspicious file formats hidden in Python libraries, such as PE and EXE file formats. In total, the company said it scanned over one million PyPI packages. More details about this scanning process are available in the company's blog post.

Last year, a security researcher named Bertus found 12 malicious Python libraries that would also work in a similar format by opening shells on hosts to downloaded and ran the libraries.

HackerOne's top 20 public bug bounty programs

Related malware and cybercrime coverage:

Editorial standards