In early August, the research team at ReversingLabs discovered a harmful supply chain campaign known as VMConnect. This campaign consisted of 24 malicious Python packages. The team identified three common open-source Python tools associated with the campaign.
The researchers found that the operators behind this campaign went to great lengths to appear authentic in their activities. They created GitHub repositories with genuine-looking descriptions and even used legitimate source code.
The latest packages found in this campaign were ‘tablediter’ (with 736 downloads), ‘request-plus’ (with 43 downloads), and ‘requestspro’ (with 341 downloads). Among these packages, the first one pretended to be a table editing utility, while the other two impersonated the widely-used ‘requests’ Python library, commonly used for HTTP requests.
Although ReversingLabs couldn’t definitively attribute this campaign to a specific threat actor, Crowdstrike’s analysts confidently associated the malware with Labyrinth Chollima, a subgroup of the Lazarus Group, a North Korean state-sponsored threat group. JPCERT/CC also linked the attack to another Lazarus Group subsidiary called DangerousPassword. Given these attributions and the code similarities between the packages found in the VMConnect campaign and those described in JPCERT/CC’s research, it is concluded that the same threat actor is responsible for both attacks.
Overall, the VMConnect campaign is another example of malicious attacks targeting PyPI repository users. To protect against such threats, organizations should invest in training and awareness to combat typosquatting and other impersonation attacks while strengthening their defenses.