Select Page

A malicious Python package on the Python Package Index (PyPI) repository has been found to use Unicode as a trick to evade detection and deploy an info-stealing malware.

The package in question, named onyxproxy, was uploaded to PyPI on March 15, 2023, and comes with capabilities to harvest and exfiltrate credentials and other valuable data. It has since been taken down, but not before attracting a total of 183 downloads.

According to software supply chain security firm Phylum, the package incorporates its malicious behaviour in a setup script that’s packed with thousands of seemingly legitimate code strings.

These strings include a mix of bold and italic fonts and are still readable and can be parsed by the Python interpreter, only to activate the execution of the stealer malware upon installation of the package.

“An obvious and immediate benefit of this strange scheme is readability,” the company noted. “Moreover, these visible differences do not prevent the code from running, which it does.”

images from Hacker News