As such, cybersecurity researchers have now discovered a new set of malicious Python packages that made their way to the Python Package Index (PyPI), which were abusing the application programming interfaces (APIs) of two frontrunning social media apps, namely Instagram and TikTok, to potentially pilfer user data.
These packages, which acted as decoy checker tools, both were built to check lists of compromised email addresses against the APIs of the two social media giants.
The researchers found three main malicious packages that were downloaded over here 2,600 times: “checker−SaGaF,” “steinlurks” (more than 1,000 downloads), and “sinnercore” (over 3,300 download).
Although these packages have been removed from the PyPI repository, their presence and download counts are a testament to the continuing threat to software supply chain security.
Modus Operandi
The bad packages used various methods to communicate with Instagram and TikTok APIs.
checker-SaGaF: This pair went after TikTok and Instagram. It initiated HTTP POST requests to the TikTok password recovery API and to Instagram account login endpoints. They wanted to know if a specific email address was associated with an account that was in use on one of the sites.
Through verifying the validity of email addresses in this way, attackers can generate lists of known good active users for further attacks, such as doxing, spamming, fake report attacks, credential stuffing, or sale on the dark web.
Steinlurks: This package was designed to target Instagram accounts. It emulated HTTP POST requests sent by the legitimate Instagram Android app to hide the spoofed traffic.
It attempted to verify emails associated with Instagram accounts by hitting various API endpoints utilized by the mobile app.
Sinnercore: This package based off of Instagram’s “forgot password” flow. It would make bogus HTTP requests to the API endpoint in charge of triggering password resets, providing the target usernames in the requests.
This could be used to validate the existence of an account and may pave the way for account takeover attacks.
Implications and recommendations more generally
The identification of such malicious packages highlights the need to pay attention when foraging in open source software trees (like PyPI). Developers and users should upgrade to the following versions:
Review dependencies: Know what a package relies on that you’re installing. Unanticipated or unfamiliar dependencies can also be a warning sign.
Monitor your environment’s network traffic: Watch out for any abnormal network activity in your development environment or in systems in which Python is running.
Use of security tools: Use SCA tools which can be used to detect known vulnerabilities and malicious code within dependencies.
Updating systems: Ensure that your Python environment (including pip and setuptools) is updated to the freshest point release so you can take advantage of the latest security patches.
This attack is a timely reminder of the changing methods employed by attackers against software engineers and their infrastructure. By taking notice of these threats and using preventive security technologies, users can minimize the risk of becoming a victim of such attacks.
