Member Article

Python Package Index (PyPI) phishing campaign: JuiceLedger threat actor pivots from fake apps to supply chain attacks

SentinelLabs, in collaboration with Checkmarx, has been tracking the activity and evolution of a threat actor dubbed “JuiceLedger”. In early 2022, JuiceLedger began running relatively low-key campaigns, spreading fraudulent Python installer applications with ‘JuiceStealer’, a .NET application designed to steal sensitive data from victims’ browsers.

In August 2022, the threat actor engaged in poisoning open-source packages as a way to target a wider audience with the infostealer through a supply chain attack, raising the threat level posed by this group considerably. JuiceLedger operators have actively targeted PyPI package contributors in a phishing campaign, successfully poisoning at least two legitimate packages with malware. Several hundred more malicious packages are known to have been typosquatted.

Key findings include:

• JuiceLedger has rapidly evolved its attack chain from fraudulent applications to supply chain attacks in a little over 6 months
• In August, JuiceLedger conducted a phishing campaign against PyPI contributors and successfully compromised a number of legitimate packages
• Hundreds of typosquatting packages delivering JuiceStealer malware have been identified
• At least two packages with combined downloads of almost 700,000 were compromised
• PyPI says that known malicious packages and typosquats have now been removed or taken down

This was posted in Bdaily's Members' News section by P Adams .