W4SP Stealer

The W4SP Stealer is a hurtful threat, designed to harvest sensitive and confidential information from the systems it infects. More specifically, the threat goes after the victim's Discord tokens, cookies and saved account credentials. The collected data is then exfiltrated to the attackers. The threat has been observed on multiple occasions to be spread via threatening Python packages on the PyPi registry.

Details about the threatening campaign were released to the public in a report by security experts from a software supply chain security company. According to their findings, the W4SP Stealer's operators relied on typo-squatting tactics to get victims to download the weaponized threat.

Typo-squatting refers to the use of names that are misspellings of popular or legitimate destinations, sites, software products, etc. In this case, the threat actors intentionally published their threatening packages with names closely resembling the ones of known and commonly used Pythion libraries. If developers make a spelling error while typing the name of the legitimate Package, they would likely be taken to the W4SP-delivering one. In total, 29 packages were mentioned in the Phylum report, including typesutil, typestring, pyhints, pystyte, installpy, colorwin and more. It is estimated that packages carrying the W4SP Stealer threat have been downloaded close to six thousand times.