Keypoints
- Malicious PyPI packages contained hidden setup.py code that extended setuptools (egg_info) to run additional logic during installation.
- Attackers stored Base64-encoded URLs and commands in secret GitHub Gists; the setup.py decodes the URL, fetches Base64-encoded Python commands, decodes them, and executes them in a new process.
- Another sample cloned a GitHub repository and inspected the latest commit message for a magic prefix; when present it would strip the prefix, Base64-decode the remainder, and execute it as Python code.
- Use of public services (GitHub Gists, commit messages) served as covert C2 and hosting for second-stage payloads, allowing attacker-controlled content to be delivered via normal developer traffic.
- Base64 encoding was used to obfuscate both URLs and command payloads, complicating automated detection but leaving clear indicators like decoded “http” prefixes.
- ReversingLabs linked multiple malicious packages (listed as PyPI package names and SHA1 hashes) to the campaign and noted reuse of techniques across samples, suggesting a single actor.
MITRE Techniques
- [T1105] Ingress Tool Transfer – Malware fetches second-stage payloads and commands from public hosting (GitHub Gists and repositories): ‘host second stage malware’.
- [T1133] External Remote Services – Use of third‑party services for C2 and payload hosting by abusing GitHub features: ‘public services as C2 infrastructure’.
- [T1027] Obfuscated Files or Information – Command URLs and payloads are Base64-encoded to hide intent: ‘Base64 encoded string’.
- [T1059] Command and Scripting Interpreter – Decoded content is executed as Python code in new processes: ‘executing it as a Python command in a new process’.
- [T1071] Application Layer Protocol – Malware communicates with GitHub over normal web/git interfaces to retrieve commands, blending with benign developer traffic: ‘network communication of the infected host with such services is less likely to raise suspicion than communication to an obscure domain or IP address.’
Indicators of Compromise
- [PyPI package names] Malicious packages observed on PyPI – httprequesthub, easyhttprequest, and other similarly named networking utility packages.
- [SHA1 hashes] Package file hashes collected during investigation – fa64041676f22ac3ea55170c6594b5142d3e45ac, abd752e9603f9714f4e8b6860ad148d4003151a2, and 14 more hashes.
- [GitHub account/Gist] Hosting and delivery artifacts – secret Gist owned by user ‘yeremyvalidslov2342’ and cloned fork of a PySocks-like repository used for commit-message delivery.
- [Suspicious filenames/strings] Malicious installer files and encoded strings – malicious setup.py embedding PostEggInfoCommand, and Base64-encoded URL/commit-message payloads.
Rewritten technical procedure:
Both malicious PyPI packages implement hidden functionality inside setup.py by subclassing and extending the setuptools egg_info command. During installation the PostEggInfoCommand decodes a Base64 string embedded in the package (which reveals an HTTP URL), performs an HTTP GET to retrieve a Base64-encoded payload from a secret GitHub Gist, decodes that payload into Python source, and executes it in a separate process. The technique relied on packaging hooks to run code automatically at install time, allowing the attacker to stage dynamic commands without invoking traditional network indicators.
In a second variant, the package clones a specific GitHub repository and inspects the HEAD commit message for a predefined magic prefix. If the prefix is present the code strips it, Base64-decodes the remaining text and executes the result as a Python command in a new process. This mechanism uses standard git operations and commit metadata as a covert channel for command delivery, enabling remote command updates simply by pushing specially crafted commit messages to the targeted repository.
Both approaches use public infrastructure (secret Gists, repository commits) as C2 and delivery mechanisms to blend with normal developer activity, and they rely on Base64 obfuscation to hide URLs and commands from casual inspection or naive scanning. The observed artifacts include multiple PyPI package names and SHA1 hashes tied to the campaign, a throwaway GitHub account hosting secret Gists, and setup.py installer hooks that perform the network fetch, decode, and execution steps.
Read more: https://www.reversinglabs.com/blog/malware-leveraging-public-infrastructure-like-github-on-the-rise