The article examines how malicious Python packages on PyPI were used as “double agents” to spy on users of a GitHub-hosted Oak-Grabber-V2 builder, with a Nagogy Grabber payload delivered through a malicious dependency. It also covers evasion tricks like Unicode-based obfuscation, repository masquerading, and a user-agent command channel, along with responses from PyPI and GitHub. #OakGrabberV2 #NagogyGrabber #dreamyoak #dynastyoak #user-agents-parser #PyPI #cron
Keypoints
- The Oak-Grabber-V2 repository on GitHub evolved into a stand-alone grabber (Nagogy Grabber) with data-collection capabilities.
- A malicious Python dependency uploaded to PyPI was imported by the builder and automatically downloaded the actual grabber for data exfiltration.
- The repository’s author changed from dynastyoak to dreamyoak, suggesting movement or takedown of the original project.
- Data-collection features included Wi‑Fi passwords, PowerShell history, installed apps, and desktop screenshots, injected through the builder.
- Unicode-based obfuscation (PEP 3131) allowed identifiers to bypass static analysers by normalizing non-ASCII characters to ASCII.
- A separate package clone (user-agents-parser) demonstrated command execution via User-Agent strings, plus persistence via cron in an earlier version.
- PyPI and GitHub removed the malicious components and the Oak-Grabber-V2 repository, respectively, highlighting platform-level defenses.
MITRE Techniques
- [T1195] Software Supply Chain Compromise – The dependency — a Python package uploaded to PyPI — was imported by the builder when used, then it automatically downloaded an actual grabber that collected and exfiltrated data.
- [T1105] Ingress Tool Transfer – The malicious dependency downloaded and integrated the Nagogy Grabber to collect and exfiltrate data.
- [T1059.006] Python – This is an entirely valid Python code downloading and running a malicious executable.
- [T1027] Obfuscated/Compressed Files and Information – All identifiers are converted into the normal form NFKC while parsing; comparison of identifiers is based on NFKC.
- [T1036] Masquerading – The author preserved the original project’s website and author information on PyPI, which can mislead users into trusting a popular-looking package.
- [T1053.005] Cron – The reverse shell persistence was achieved by registering a cron job in an earlier version.
- [T1041] Exfiltration – The collected data were exfiltrated by the Nagogy Grabber.
Indicators of Compromise
- [Package] Oak-Grabber-V2 related packages – argsreq, colarg, colargs, reqarg, reqargs
- [URL] Grabber download URLs – hxxps://api.dreamyoak[.]xyz/cdn/file, hxxps://api2.dreamyoak[.]xyz/cdn/file
- [Package] user-agents-parser variants – user-agents-parser, user-agents-parsers
- [IP] Reverse shell – 95.179[.]177[.]74