A malicious package discovered on the Python Package Index (PyPI) has been found employing a steganographic trick to conceal malicious code within image files.
The package in question, named “apicolor,” was uploaded to the Python third-party repository on October 31, 2022, and described as a “Core lib for REST API,” according to Israeli cybersecurity firm Check Point. It has since been taken down.
Apicolor, like other rogue packages detected recently, harbours its malicious behaviour in the setup script used to specify metadata associated with the package, such as its dependencies.
This takes the form of a second package called “judyb” as well as a seemingly harmless PNG file (“8F4D2uF.png”) hosted on Imgur, an image-sharing service.
images from Hacker News