Malicious Python Package Hides Sliver C2 Framework in Fake Requests Library Logo


Cybersecurity researchers have identified a malicious Python package that purports to be an offshoot of the popular requests library and has been found concealing a Golang-version of the Sliver command-and-control (C2) framework within a PNG image of the project's logo. The package employing this steganographic trickery is requests-darwin-lite, which has been downloaded 417 times prior to it being taken down from the Python Package Index (PyPI) registry. Requests-darwin-lite "appeared to be a fork of the ever-popular requests package with a few key differences, most notably the inclusion of a malicious Go binary packed into a large version of the actual requests side-bar PNG logo," software supply chain security firm Phylum said. The changes have been introduced in the package's file, which has been configured to decode and execute a Base64-encoded command to gather the system's Universally Unique Identifier (UUID).

Security Officer Comments:
This discovery of the requests-darwin-lite package underscores the evolving sophistication of malware distribution tactics within open-source ecosystems. By exploiting the trust associated with well-known libraries like requests, threat actors can effectively conceal malicious payloads, such as the Golang-based Sliver framework, within innocuous-seeming files. The deliberate inclusion of steganographic techniques, such as hiding executable code within a PNG image, showcases a level of ingenuity aimed at bypassing traditional security measures.

Suggested Corrections:
This incident underscores the critical importance of robust supply chain security practices within the software development lifecycle. As open-source ecosystems continue to grow, it is imperative for organizations and developers to implement proactive measures to detect and mitigate such threats, safeguarding against potential exploitation of trust in widely-used libraries and packages.