Researchers have identified a malicious PyPI package called “VMConnect” that has been designed to strongly resemble a legitimate VMware vSphere connector module and has been downloaded 237 times.
The researchers said they reported the malicious PyPI packages to the registry administrators and they were promptly taken down. They also reached out to the user — huski502 — the name listed on both the GitHub and PyPI version of the counterfeit package. While they gave notice well before going public.
While investigating the malicious PyPI package, the researchers also said they discovered two other packages that emerged: “ethter” (253 downloads) and “quantiumbase” (216 downloads). The researchers said these other two packages bear an identical structure and technique and contain identical payload to the package in question.
VMware vSphere users should be diligent when it comes to obtaining the legitimate Python connector module and refer to the project’s official documentation and repo for instructions.
Attackers know the importance of VMware vCenter and how developers’ interface with it. The open-source software libraries remain the soft underbelly to inject code into their victim’s environments.
Threat actors are taking advantage of open-source software vulnerabilities because of the lack of resources in open-source development and open-source delivery chains such as PyPI.
Organizations can start addressing this issue by contributing to open-source projects by providing source code contribution, code reviews, or helping with processes to protect those delivery chains can help and add much needed resources to protect these software and delivery mechanisms.
This research was documented by researchers from Sonatype