Fake ChatGPT and Claude Libraries on PyPI Caught Spreading Data-Stealing Malware

Fake ChatGPT and Claude Libraries on PyPI Caught Spreading Data-Stealing Malware

Here’s the enhanced and simplified version:

Malicious PyPI Packages Exploit AI Model Names to Spread Malware

Key Points:
– Two malicious packages on PyPI impersonated ChatGPT and Claude AI
– The packages (gptplus and claudeai-eng) were uploaded by “Xeroline” in November 2023
– Combined downloads reached over 3,500 before removal from PyPI

Technical Details:
– The packages claimed to provide access to GPT-4 Turbo and Claude AI APIs
– Malware deployment occurred through Base64-encoded data in “__init__.py”
– The process downloads “JavaUpdater.jar” and JRE if needed

Threat Analysis:
– The malware (JarkaStealer) targets:
* Web browser data
* System information
* Screenshots
* Session tokens (Telegram, Discord, Steam)
– Stolen data is sent to attacker servers and deleted locally
– JarkaStealer is available as Malware-as-a-Service for $20-$50

Impact:
– Affected users primarily in US, China, India, France, Germany, and Russia
– Part of a year-long supply chain attack campaign
– Highlights ongoing risks in open-source software security

This incident emphasizes the importance of careful verification when using open-source components and the growing trend of cybercriminals exploiting popular AI brands for malicious purposes.

Share This Article