Nearly two years later, a dormant package on the Python Package Index ( PyPI ) repository was updated to spread Nova Sentinel, an information-stealing malware.
According to software supply chain security company Phylum, which discovered an anomalous update to the library on February 21, 2024, the package, known as django-log-tracker, was first made available to PyPI in April 2022.
Despite the fact that the linked GitHub repository has n’t been updated since April 10, 2022, the developer’s PyPI account may have been compromised as a result of the malicious update.
The rogue version of Django-log-tracker ( 1. 0). was downloaded 107 times on the day it was released, bringing the total number of times it has been downloaded to date to 3,866. PyPI no longer offers the package for download.
The majority of the package’s original content was removed during the malicious update, leaving only an “init.” example and py. ” Py file behind,” according to the business.
Simple and self-explanatory changes involve retrieving an executable with the name” Updater_1.4.4_x64.” exe” ( 45.88.180 [. ] from a distant server. 54″ ), then use the Python operating system to launch it. use the startfile ( ) function.
Nova Sentinel, a stealer malware that was first identified by Sekoia in November 2023 as being spread via fictitious Electron apps on phony websites offering video game downloads, is embedded in the binary, for its part.
The attack vector in this particular case appeared to be an attempted supply chain attack via a compromised PyPI account, according to Phylum.
The most recent, malicious version of this package would have been pulled from any project with it listed as a dependency but no version or flexible version specified in their dependency file.