Cybersecurity researchers have identified two malicious Python packages uploaded to the Python Package Index (PyPI), designed to impersonate popular AI models like OpenAI ChatGPT and Anthropic Claude. These packages, gptplus and claudeai-eng, were used to distribute an information stealer named JarkaStealer.
Uploaded by a user named "Xeroline" in November 2023, the packages collectively amassed nearly 3,600 downloads before being removed from PyPI.
A Closer Look at the Attack
The malicious packages claimed to provide access to AI APIs such as GPT-4 Turbo and Claude AI. Instead, they contained Base64-encoded code in their __init__.py files, triggering the following chain of events:
- Download of Malicious Files: The code fetched a Java archive file, JavaUpdater.jar, from a GitHub repository.
- Runtime Environment Setup: If Java was not installed, the packages downloaded the Java Runtime Environment (JRE) from a Dropbox link.
- Deployment of JarkaStealer: The JAR file executed the Java-based information stealer, which targeted:
- Web Browser Data: Extracting cookies, saved passwords, and autofill data.
- System Information: Gathering hardware and software details.
- Session Tokens: Compromising applications like Telegram, Discord, and Steam.
- Screenshots: Capturing user activity on infected systems.
The stolen information was archived, sent to an attacker-controlled server, and then deleted from the victim's machine to cover the attacker's tracks.
JarkaStealer as Malware-as-a-Service (MaaS)
JarkaStealer is offered as a service through a Telegram channel, priced between $20 and $50. Its source code has also been leaked on GitHub, increasing its availability to malicious actors.
Global Impact
Statistics from ClickPy reveal that the packages were predominantly downloaded by developers in the U.S., China, India, France, Germany, and Russia, highlighting the global scope of the attack.
The Bigger Picture: Supply Chain Risks
This incident emphasizes the ongoing threat of software supply chain attacks, where malicious actors compromise widely used repositories to deliver malware.
"The discovery underscores the persistent risks of software supply chain attacks and highlights the critical need for vigilance when integrating open-source components into development processes," said Kaspersky researcher Leonid Bezvershenko.
