According to software supply chain security company Phylum, threat actors have begun posting malicious packages to PyPI, NPM, and RubyGems repositories as part of a new campaign to steal user information.
Over the weekend, the first malicious packages with a focus on MacOS users were uploaded to the PyPI and NPM repositories. The PyPI package that Phylum first noticed was intended to gather data about the victim’s computer and exfiltrate it to a server under the control of the attacker. Additionally, the code would distribute later versions that contained more malicious payloads.
Similar in its behavior, the identified RubyGems package only targeted MacOS systems while gathering system information and transmitting it to a remote server.