Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security

Cybercriminal Posed as 'Helpful' Stack Overflow User To Recommend Malware Hosted on PyPi (bleepingcomputer.com) 43

An anonytmous reader shared a recent report from BleepingComputer: Cybercriminals are abusing Stack Overflow in an interesting approach to spreading malware — answering users' questions by promoting a malicious PyPi package that installs Windows information-stealing malware... "We further noticed that a StackOverflow account 'EstAYA G' [was] exploiting the platform's community members seeking debugging help [1, 2, 3] by directing them to install this malicious package as a 'solution' to their issue even though the 'solution' is unrelated to the questions posted by developers," explained Sonatype researcher Ax Sharma in the Sonatype report.
Sonatype's researcher "noticed that line 17 was laden with ...a bit too many whitespaces," according to the report, "in turn hiding code much further to the right which would be easy to miss, unless you notice the scroll bar. The command executes a base64-encoded payload..."

And then, reports BleepingComputer... When deobfuscated, this command will download an executable named 'runtime.exe' from a remote site and execute it. This executable is actually a Python program converted into an .exe that acts as an information-stealing malware to harvest cookies, passwords, browser history, credit cards, and other data from web browsers. It also appears to search through documents for specific phrases and, if found, steal the data as well.

All of this information is then sent back to the attacker, who can sell it on dark web markets or use it to breach further accounts owned by the victim.

This discussion has been archived. No new comments can be posted.

Cybercriminal Posed as 'Helpful' Stack Overflow User To Recommend Malware Hosted on PyPi

Comments Filter:
  • Where's the feds? (Score:2, Insightful)

    by backslashdot ( 95548 )

    They're just gonna allow people to do this stuff?

    • Re:Where's the feds? (Score:5, Informative)

      by slack_justyb ( 862874 ) on Monday June 03, 2024 @06:55AM (#64519419)

      What the hell is the US law enforcement going to do for someone who is likely not inside their jurisdiction? If the Feds got involved every time some person got duped, they'd be busy reeducating fools. Which we already have a place for that, it's called school.

      What this is, is a great lesson for folks who blindly accept the words of unknown folks online. There's a super simple solution to this that doesn't require taxpayer money going to an alphabet soup agency for shit these people should have learned in elementary school.

      Don't believe everything you read on the internet.

      - Abraham Lincoln

      Perhaps the folks who are affected will get this concept stuck inside that gray thing between their ears. One can only hope, even if it's a fool's hope in this case.

  • by wildstoo ( 835450 ) on Monday June 03, 2024 @03:01AM (#64519109)

    Can't wait for the first time an LLM "helps" a user by just vomiting up malware install instructions.

    • by Kelxin ( 3417093 ) on Monday June 03, 2024 @08:00AM (#64519531)
      They already are. https://www.wired.com/story/go... [wired.com]
    • by Anonymous Coward
      Google's AI apparently was recently telling people that jumping off the Golden Gate Bridge was a solution for depression. It also recommended smoking cigarettes while pregnant and drinking alcohol to reduce the stress of rush-hour driving.
      • haha but ending your life is "a" solution to depression. I wouldn't call it a good solution but it's a solution. A permanent solution to a temporary problem.

    • You just know that this malware was included in some AI training sets...
      On the bright side, since AI doesn't actually have intelligence or understanding, it will likely screw up the malware by rewriting it so that it doesn't work.

  • by vistic ( 556838 ) on Monday June 03, 2024 @03:05AM (#64519113)

    Everyone wants a quick shortcut to everything. AI will make this worse. There really is no better replacement for Actually Knowing What You Are Doing, and there never will be.

    • by gweihir ( 88907 )

      Indeed. But there is no way to make that clear to most people, because they are intellectually lazy as well.

      We really are accelerating the division of IT into technicians (can use AI and has some minimal skills besides that) and engineers (a small minority that actually knows what they are doing). As technicians become less and less valuable, more and more of them will face unemployment.

    • The problem is that this counts as "documentation" these days. Just try to use some Azure service and the only documentation you will get are some code snippets in a language you do not use, using a library that hides all the details from you.
    • But knowing what you're doing is HARD. Copy/pasting someone else work is so much easier!

  • Singular? (Score:4, Insightful)

    by eneville ( 745111 ) on Monday June 03, 2024 @03:18AM (#64519123) Homepage

    This isn't the first time someone on the internet gives bad advice now is it.

    • Quite a difference between someone trying to help but getting it wrong and someone actively posting wrong answer, or even worse, like in this case, intentionally trying to wreak havoc and to exploit the one(s) looking for answers.

    • It's not the first time someone uses social engineering as a way to spread malware. It might be the first time that behavior has been seen on StackOverflow.

  • we all know (Score:5, Informative)

    by serafean ( 4896143 ) on Monday June 03, 2024 @03:24AM (#64519127)

    Yet we all do it...
    https://thejh.net/misc/website... [thejh.net] , at the time of writing, this was a safe toy to demonstrate this.

    Even though I know about this, and remind myself regularly, I still do paste into the terminal.

    • Yet we all do it... https://thejh.net/misc/website... [thejh.net] , at the time of writing, this was a safe toy to demonstrate this.

      Even though I know about this, and remind myself regularly, I still do paste into the terminal.

      I didn't try pasting what you linked to - the prospect gave me the heebie jeebies. On those rare occasions when I do paste commands into the terminal, I always read, parse out, and (mostly at least) understand the content. I do that both before and after pasting. And the terminal window saves my ass if there's a CR, by warning me of an unsafe paste. I've been thankful for that on several occasions.

      • Reading and understanding the command on the page wouldn't help here, unless you read and understand the final contents of your clipboard...
        Go view the source ;)

        • by PPH ( 736903 )

          Reading and understanding the command on the page wouldn't help here,

          Guess I'm getting old. I can't read the stuff sized at -100px. ;-)

        • Reading and understanding the command on the page wouldn't help here, unless you read and understand the final contents of your clipboard... Go view the source ;)

          I just tried it - in a text editor first, where all the extra text showed up. After that, I pasted it into a terminal window, and got an "unsafe paste" warning popup which showed all the extra stuff my text editor had already revealed.

          xfce4-terminal FTW!

    • by gweihir ( 88907 )

      Anybody that does not want to try this (which is a good idea), just use "view source".

    • by PPH ( 736903 )

      Hah! Fooled them.

      I copy/paste into a vi session.

      Just waiting until some hacker includes an ESC and a shell command. :-(

  • the mean IQ of the Stack Overflow users that has been falling for years has crossed a threshold meaning that such attacks are now feasible.

  • by Rei ( 128717 ) on Monday June 03, 2024 @04:48AM (#64519225) Homepage

    Fortunately there's a plugin available [chromewebstore.ru] for Chrome that automatically detects and warns about known phishing and malware attempts, and which is pretty responsive to such threats.

  • by nicolaiplum ( 169077 ) on Monday June 03, 2024 @04:51AM (#64519229)

    The real achievement here is someone managing to get an answer onto Stack Overflow. That makes the exploit very difficult!

  • by ClueHammer ( 6261830 ) on Monday June 03, 2024 @05:15AM (#64519267)
    Is still the user... With declining IQ planet wide, this is only going to get worse
  • SO is a tool like any other. (Yes, as are LLMs.)

    Yes, you can cut your hand off with a tool, if you use it blindly/stupidly. So ... don't do that.

    Just taking a "tools are evil" stance is just as stupid though.

    • by Entrope ( 68843 )

      Did anyone claim that SO is evil? (If so, I missed it.) This seems much more like a warning. To extend your analogy, they're saying "it's easy to accidentally cut off your hand when you do this specific thing, so pay attention when you're doing that thing".

    • by gweihir ( 88907 )

      While I agree, some tools are "experts-only" because they are too dangerous for regular people.

  • ... don't just copy or take over anything from Stack Overflow.

  • by jenningsthecat ( 1525947 ) on Monday June 03, 2024 @07:18AM (#64519455)

    Another example of social engineering - and a pretty unsophisticated one at that. All of us occasionally learn something the hard way.

    I feel bad for anyone who got pwned this way; but the upside is that they'll probably refrain from doing it again. Or they'll win a Darwin award. Either way, it's a self-limiting problem.

    • by gweihir ( 88907 )

      Indeed. It is more like the attacker wanted to see whether people are really this stupid. And look, they are.

  • Betcha the goal is to train OpenAI on these.

    And, seriously, anybody here could do better on the actual SE attack.

  • See the best new exciting insight on this subject the internet has to offer here: www.dumbass.net. Or save us both the trouble and just snail mail us cash.

  • by xack ( 5304745 ) on Monday June 03, 2024 @09:03AM (#64519671)
    Except now instead of crashing your system, we know get actual malware instead. The internet, as always is full of horrible people, it's just that its now done for profit instead of fun.
  • Cybercriminals are .. directing them to install this malicious package ..

"Yes, and I feel bad about rendering their useless carci into dogfood..." -- Badger comics

Working...