A malicious Python package conceals the Sliver C2 Framework in the library logo of fake requests.

A malicious Python package that appears to be a spinoff of the popular requests library has been discovered by cybersecurity experts to be hiding a Golang version of the Sliver command-and-control (C2) framework inside a PNG picture of the project's logo.

Requests-darwin-lite is the package utilising this steganographic trickery; it was downloaded 417 times before it was removed from the Python Package Index (PyPI) repository.

Requests-lite-Darwin "appeared to be a fork of the ever-popular requests package with a few key differences, most notably the inclusion of a malicious Go binary packed into a large version of the actual requests side-bar PNG logo," Phylum, a security company for software supply chains, warned.

The package's setup.py file has undergone modifications. It is now set up to decode and run a Base64-encoded command in order to obtain the system's Universally Unique Identifier (UUID).

An intriguing twist is that the infection chain only continues if the identification matches a certain value, suggesting that the package's author(s) are trying to compromise a particular machine for which they already have the identifier they obtained through another method.

This suggests two scenarios: Either this is a very focused attack, or this is a test run for a larger campaign.

In the event that the UUIDs match, the requests-darwin-lite reads data from a PNG file called "requests-sidebar-large.png," which is comparable to the legitimate requests package's "requests-sidebar.png" file.

The real requests logo is 300 kB in size, however, requests-darwin-lite contains a logo that is about 17 MB in size. This is where the differences lie.

The Golang-based Sliver, an open-source C2 framework intended for use by security experts in their red team activities, is the binary data hidden in the PNG image.

Although the package's specific objective is now unknown, its development indicates that malware distribution through open-source ecosystems is still a popular strategy.

Since most codebases use open-source code, it is imperative to address issues in a methodical way to prevent them from "derailing large swaths of the web." This is especially important in light of the recent XZ Utils incident and the ongoing influx of malware into npm, PyPI, and other package registries.

#python #malicious #security #cybersecurity #understanding #learn