> The PyPI package vfunctions is a malicious surveillance package whose routines (webcam capture, file infection, and startup persistence) activate only when explicitly invoked, but the code’s purpose and effect remain malicious.
> PyPI’s security team indicated that vfunctions does not trigger automatically and should be viewed as “bad practice” unless a user or attacker runs its exported functions. We acknowledge this but retain a malware classification because those functions enable full surveillance once invoked.
> However, any script or threat actor that calls its exported functions gains full webcam capture, exfiltration, and self‑replication capabilities, making the package a latent but serious supply chain threat.
... Yes. Anyone who decides to download a package named "vfunctions" with no documentation and no GitHub presence, install it, then write code that imports the library and calls functions with names like `Infect_Files`, may cause serious damage to the local system.
What clearly happened here is that, over three years ago, some kid decided to write a bunch of code for various "pranks" (granted some of them would be more serious than the kid likely intended) and then for whatever reason decided to publish that code (without a license, but with a valid-looking email address).
Insisting on using something like this as an example of "malware" should be embarrassing. PyPI seems to be doing a very good job of keeping out malware with their very limited human resources, and it comes across like this package was only included for "balance" (or to broaden the scope in the title) in a report that mentioned three npm packages.
zahlman•6mo ago
> PyPI’s security team indicated that vfunctions does not trigger automatically and should be viewed as “bad practice” unless a user or attacker runs its exported functions. We acknowledge this but retain a malware classification because those functions enable full surveillance once invoked.
> However, any script or threat actor that calls its exported functions gains full webcam capture, exfiltration, and self‑replication capabilities, making the package a latent but serious supply chain threat.
... Yes. Anyone who decides to download a package named "vfunctions" with no documentation and no GitHub presence, install it, then write code that imports the library and calls functions with names like `Infect_Files`, may cause serious damage to the local system.
What clearly happened here is that, over three years ago, some kid decided to write a bunch of code for various "pranks" (granted some of them would be more serious than the kid likely intended) and then for whatever reason decided to publish that code (without a license, but with a valid-looking email address).
Insisting on using something like this as an example of "malware" should be embarrassing. PyPI seems to be doing a very good job of keeping out malware with their very limited human resources, and it comes across like this package was only included for "balance" (or to broaden the scope in the title) in a report that mentioned three npm packages.