• Latest
  • Trending
PyPI package ‘keep’ mistakenly included a password stealer

PyPI package ‘keep’ mistakenly included a password stealer

June 13, 2022
Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

July 29, 2025
French Telco Orange Hit by Cyber-Attack

French Telco Orange Hit by Cyber-Attack

July 29, 2025
ATC Ghana supports Girls-In-ICT Program

ATC Ghana supports Girls-In-ICT Program

April 25, 2023
Vice President Dr. Bawumia inaugurates  ICT Hub

Vice President Dr. Bawumia inaugurates ICT Hub

April 2, 2023
Co-Creation Hub’s edtech accelerator puts $15M towards African startups

Co-Creation Hub’s edtech accelerator puts $15M towards African startups

February 20, 2023
Data Leak Hits Thousands of NHS Workers

Data Leak Hits Thousands of NHS Workers

February 20, 2023
EU Cybersecurity Agency Warns Against Chinese APTs

EU Cybersecurity Agency Warns Against Chinese APTs

February 20, 2023
How Your Storage System Will Still Be Viable in 5 Years’ Time?

How Your Storage System Will Still Be Viable in 5 Years’ Time?

February 20, 2023
The Broken Promises From Cybersecurity Vendors

Cloud Infrastructure Used By WIP26 For Espionage Attacks on Telcos

February 20, 2023
Instagram and Facebook to get paid-for verification

Instagram and Facebook to get paid-for verification

February 20, 2023
YouTube CEO Susan Wojcicki steps down after nine years

YouTube CEO Susan Wojcicki steps down after nine years

February 20, 2023
Inaugural AfCFTA Conference on Women and Youth in Trade

Inaugural AfCFTA Conference on Women and Youth in Trade

September 6, 2022
  • Consumer Watch
  • Kids Page
  • Directory
  • Events
  • Reviews
Friday, 17 July, 2026
  • Login
itechnewsonline.com
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion
Subscription
Advertise
No Result
View All Result
itechnewsonline.com
No Result
View All Result

PyPI package ‘keep’ mistakenly included a password stealer

by ITECHNEWS
June 13, 2022
in Infosec, Leading Stories
0 0
0
PyPI package ‘keep’ mistakenly included a password stealer

PyPI packages ‘keep,’ ‘pyanxdns,’ ‘api-res-py’ were found to be containing a backdoor due to the presence of malicious ‘request’ dependency within some versions.

For example, while most versions of ‘keep’ project use the legitimate Python module requests for making HTTP requests, ‘keep’ v.1.2 contains ‘request’ (without s) which is malware.

YOU MAY ALSO LIKE

French Telco Orange Hit by Cyber-Attack

ATC Ghana supports Girls-In-ICT Program

BleepingComputer reached out to the authors of each of these packages to understand if this was caused by a mere typographical error,  self-sabotage, or by maintainer accounts getting hijacked.

PyPI package ‘keep’ uses malicious ‘request’

Some versions of PyPI packages, ‘keep,’ ‘pyanxdns,’ and ‘api-res-py’ were caught using a malicious dependency, ‘request,’

Back in May, GitHub user duxinglin1 noticed the vulnerable versions contained the misspelled ‘request’ dependency, as opposed to the legitimate requests library.

As such, the following CVEs have been assigned this week with regards to the vulnerable versions:

  • CVE-2022-30877 – ‘keep’ version 1.2 contains the backdoor ‘request’, contrary to what the advisory implies.
  • CVE-2022-30882 – ‘pyanxdns’ version 0.2 impacted
  • CVE-2022-31313 – ‘api-res-py’ version 0.1 impacted

Although ‘pyanxdns’ and ‘api-res-py’ might be small scale projects,  the ‘keep’ package, in particular, gets downloaded over 8,000 times in a week on average—with its version 1.2 using the malicious dependency:

PyPI keep package homepage
Version 1.2 of PyPI package ‘keep’ contains a reference to malicious ‘request’ dependency
pypi package keep uses request as a dependency
Usage of malicious ‘request’ dependency in ‘keep’ version 1.2 (BleepingComputer)

Back in 2020, Tencent Onion Anti-Intrusion System discovered a malicious typosquat ‘request’ uploaded to the PyPI registry which impersonated the requests HTTP library but instead dropped malicious info-stealers.

“We found a malicious backdoor in version 1.2 of this project, and its malicious backdoor is the request package. Even if the request package was removed by PyPI, many mirror sites did not completely delete this package, so it could still be installed,” writes GitHub user duxinglin1.

The malicious code inside the counterfeit ‘request’ is highlighted below:

Inside counterfeit PyPI package request
Inside counterfeit PyPI package ‘request’ (BleepingComputer)

Line 57 contains a base64-encoded URL to the ‘check.so’ malware shown below. Threat intel analyst blackorbird additionally identified another URL (x.pyx), also shown below, associated with the counterfeit ‘request’ dependency:

http://dexy[.]top/request/check.so
http://dexy[.]top/x.pyx

The file ‘check.so’ delivers a Remote Access Trojan (RAT), whereas ‘x.pyx’ obtained by BleepingComputer contains info-stealing malware that steals cookies and personal information from web browsers such as Chrome, Firefox, Yandex, Brave, and many more:

x.pyx file contents
x.pyx file contents decoded by BleepingComputer (BleepingComputer)

The info-stealing trojan will attempt to steal login names and passwords stored in web browsers.

After obtaining access to user credentials, threat actors can then attempt to compromise other accounts used by the developer, potentially leading to even further supply-chain attacks.

Hijack or a genuine typo?

The presence of a malicious dependency in multiple PyPI packages does raise a crucial  question—how did this occur?

BleepingComputer reached out to the authors of each of these packages to understand if this was caused by a mere typographical error,  self-sabotage, or by maintainer accounts getting hijacked.

We heard back from the author and maintainer of ‘pyanxdns’, Marky Egebäck, who confirms this is resulting from a typographical error rather than an account compromise.

And, from the looks of it, it appears the authors of other two packages also inadvertently introduced ‘request’ as opposed to the legitimate ‘requests’ due to an innocent typing mistake.

“Sorry to say by a simple typo in the setup.py file since git history shows that this was added when the install_requires was added by me,” Egebäck told BleepingComputer.

The developer has since reuploaded a new version to PyPI and deleted the version referencing the malicious “request” dependency.

“This was [an] honest mistake based on a typo in the setup.py. I generally don’t publish things on PyPI but I made this quickly for a friend and myself. Not sure if he as promoted this but the purpose was mainly for personal use in [an] internal docker project,” says Egebäck.

Egebäck appreciated GitHub user duxinglin1 for highlighting the presence of the malicious dependency in his project and explained how he hasn’t spent much time in maintaining the contributed Python project lately:

“What can of course have been done a lot better would have been to have fixed this earlier but did not understand the severity of it and since I put very little time sadly [nowadays] with coding it took a long time,” says Egebäck.

When coding applications, innocent typing mistakes on the developer’s part can inadvertently lend success to typosquatting attacks that count on such exact slip ups to compromise the broader software supply chain.

Although in this case, the malicious ‘request’ dependency has long been removed from the PyPI registry, anybody using a vulnerable version of the PyPI packages and relying on a mirror to fetch dependencies can end up with malicious info-stealers on their system.

Source: Ax Sharma
Via: bleepingcomputer
Tags: PyPI package 'keep' mistakenly included a password stealer
ShareTweet

Get real time update about this post categories directly on your device, subscribe now.

Unsubscribe

Search

No Result
View All Result

Recent News

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

July 29, 2025
French Telco Orange Hit by Cyber-Attack

French Telco Orange Hit by Cyber-Attack

July 29, 2025
ATC Ghana supports Girls-In-ICT Program

ATC Ghana supports Girls-In-ICT Program

April 25, 2023

About What We Do

itechnewsonline.com

We bring you the best Premium Tech News.

Recent News With Image

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

July 29, 2025
French Telco Orange Hit by Cyber-Attack

French Telco Orange Hit by Cyber-Attack

July 29, 2025

Recent News

  • Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa July 29, 2025
  • French Telco Orange Hit by Cyber-Attack July 29, 2025
  • ATC Ghana supports Girls-In-ICT Program April 25, 2023
  • Vice President Dr. Bawumia inaugurates ICT Hub April 2, 2023
  • Home
  • InfoSec
  • Opinion
  • Africa Tech
  • Data Storage

© Copyright 2026, All Rights Reserved | iTechNewsOnline.Com - Powered by BackUPDataSystems

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

No Result
View All Result
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion

© Copyright 2026, All Rights Reserved | iTechNewsOnline.Com - Powered by BackUPDataSystems

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?
Go to mobile version