June 6, 2023

Researchers have spotted a malicious open-source Python .who (Wheel) files were found distributing a new malware dubbed KEKW that can steal sensitive information from infected systems by incorporating clipper activities with infostealer to hijack cryptocurrency transactions.

Researchers explained that the Python packages under scrutiny were not present in the actual PyPi  repository, indicating that the Python security team removed the malicious packages. Since the malicious packages were taken down quickly, it is impossible to determine the number of people who downloaded them. However, they believe that the impact of the incident may have been minimal.

The incident brings up an ongoing issue for the open-source community. PyPi has become a widely used repository for software packages using the Python programming language. Developers used it to share and download Python code. Because of the widespread use of PyPi, it has now become a desirable target for threat actors looking to attack developers.


The malicious packages are usually uploaded by disguising them as useful software or by imitating well-known projects by altering their names.

Threat actors are taking advantage of open-source software vulnerabilities because of the lack of resources in open-source development and open-source delivery chains, such as NPM and PyPi. Taking over abandoned projects, name spoofing, and malicious contributions are some ways attackers take advantage of under-resourced teams providing these pipelines.

This vector is being exploited due to its low cost of entry and high effectiveness. It is going to get harder and harder to keep up with such an effective attack vector without a major change in how these libraries get delivered into software that uses them.

This research was documented by researchers from Cyble Research and Intelligence Labs

Leave a Reply

%d bloggers like this: