Researchers at Phylum discovered a malicious package on the Python Package Index (PyPI) named requests-darwin-lite. This package appeared to be a fork of the popular requests library, commonly used to make HTTP requests in Python applications.

The attackers behind the malicious package used steganography to hide data within seemingly harmless content to conceal a Go binary inside a PNG image. This binary would only execute on specific machines with a predetermined UUID, making it a targeted attack.

Steganography can be a very effective way for attackers to hide malicious code, which can be difficult to detect. In this case, the attackers could hide the Go binary within a PNG image, a common file format that users often trust.

It is important to be aware of the risks associated with downloading packages from PyPI, even if they appear legitimate forks of popular libraries. Always carefully review the code of any package before you install it, and only download packages from trusted sources.

Here are some additional tips for staying safe when downloading packages from PyPI:

  • Only install packages that you need and trust.
  • Read the reviews and ratings of packages before installing them.
  • Use a virtual environment to isolate the dependencies of your projects.
  • Keep your Python packages up to date.

By following these tips, you can help to reduce the risk of installing malicious code on your system.