PROBABLY_PENTEST (1) campaign cataloged at 2024-10-08(2).
- Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.
- This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.
2024-10-old-fake-usreagant¶
Package imitates the legitimate fake-useragent, however it has a few suspicious additions: fake.py L149 calls a function from 'urllib2' module, which contains a code attempting to JSON-deserialize encoded code. This is a pickle executing os.system(id), which of course isn't executed by json.loads, but would be by pickle. Also: action is suspicious, not really malicious, but the package is a clear typosquatting attempt.
Abuse categories¶
action-hidden-in-lib-usage
The malicious action is hidden in the code and starts when user interacts with it (e.g. during class initialization or by exfiltrating given credentials).
clones_real_package
The package is a clone of a legitimate package or library, but with malicious code added.
dependency-confusion
An attempt to exploit dependency confusion
typosquatting
The package name is an typosquatting variant of a popular package.