Skip to content

MALICIOUS (1) package from Python Package Index.

  1. The campaign has clearly malicious intent, like infostealers.

snapshot-photo

  1. May not be available. See more in pypi-json-data repository.
  2. Version numbers are currently not tracked. Assume all versions are affected.

Campaign data

Campaign information may not always be 100% accurate for every related package.

Campaign description

This campaign is built from two parts: 1) packages named like time-check-server, snapshot-photo contain an innocent-looking code that sends "date" to a remote server, 2) packages named like alicloud-client are clones of legit aliyun-python-sdk-core package, with a small change in the client.py code, where it imports the time-check-server and calls it, but instead of a date, the credentials to the cloud are exfiltrated. There are also variations with AWS clients

Apparently, the campaign started at least 2 years ago with the snapshot-photo package containing the same functionality as the newer time-check-server (see https://github.com/pypi-data/pypi-mirror-238/blob/code/packages/snapshot-photo/snapshot_photo-0.0.3-py3-none-any.whl/snapshot_photo/date_format.py).

See more details on the campaign page.

action-hidden-in-lib-usage

Campaign targets action-hidden-in-lib-usage.

clons_real_package

The package is a clone of a real package, but with malicious code added.

exfiltration_cloud_tokens

Campaign targets exfiltration_cloud_tokens.

through_dependency

The malicious code is intentionally included in a dependency of the package