10 Python Libraries That Steal Credentials Have Been Found on PyPI

Aelius Venture
2 min readAug 16, 2022
Ten malicious Python Libraries that packages were being used to infect developers’ computers with malware that steals passwords have been found by threat researchers on the PyPI repository. Typosquatting was utilized by the bogus packages to pass for well-known software projects and entice PyPI users into downloading them.

Millions of registered users can quickly incorporate over 350,000 open-source software packages from PyPI (Python Package Index) into their Python package projects and create sophisticated products with little effort.

Python libraries used in the Pypi package were used to steal credentials:

  • Ascii2text:

Ascii2text mimics “art,” a well-known ASCII Art Python Libraries, using the same description but omitting the release information. Through a Discord webhook, the code retrieves a malicious script that looks for local passwords and exfiltrates them.

  • Pymocks, PyProto2, and Pyg-utils:

All three of the malware target AWS credentials and resemble another group of packages that Sonatype found in June. The first even connects to “pygrata.com,” whilst “pymocks.com” is the goal of the other two.

  • Test-async:

The unspecific package that downloads malicious code from a remote source and alerts a Discord channel to the presence of fresh infection.

  • Free-net-VPN as well as Free-net-VPN2:

Harvester of user credentials posted to a website that has a dynamic DNS mapping service.

  • Zlibsrc:

This package is Python Libraries, which imitates the zlib project, and includes a script that downloads and executes a malicious file from a third-party source.

  • Browserdiv:

A package aimed toward web design programmers’ credentials is called Browserdiv. uses Discord webhooks to smuggle info.

  • WINRPCexploit:

A credential-stealing toolkit called WINRPCexploit claims to automate the exploitation of the Windows RPC vulnerability.environment variables, which frequently include credentials, to a remote website under the attacker’s control when it is executed.

Although CheckPoint notified the Python Libraries detected packages and PyPI removed them, software developers who downloaded them on their workstations may still be in danger.

The developer’s machine may only be the starting point of a widespread infection, therefore code should be examined for malicious code. In many cases, the malicious packages set the groundwork for potential supply chain attacks.

that users are responsible for carefully examining names, release histories, submission data, homepage links, and download counts and that no package in PyPI and Python Libraries offers security guarantees.

In Conclusion, The revelation represents the most recent instance of threat actors publishing malicious software on widely used software repositories like PyPI and list python Libraries to disrupt the software supply chain, adding to a series of recent incidents that is quickly growing.



Aelius Venture

Top Web and Mobile Apps Development Company since 2014 spread across USA, UK and India.