Jamf protects against ‘pymafka’ malware

Sonatype researchers recently identified a supply chain attack leveraging a malicious Python package ‘PyMafka’ in the PyPI registry.

June 2 2022 by

Jamf Threat Labs

Threat: PyMafka

Affects: Sonatype researchers discovered a typosquatting attack imitating the legitimate ‘pykafka’ package repository, an Apache Kafka client for Python. The attacker’s intent is that developers would misspell the legitimate package name and download the malicious one ‘PyMafka’ instead. The malware then identifies the victim's platform (macOS, Windows and Linux) and downloads the respective Cobalt Strike payload.

Such attacks are not uncommon on macOS. Recently the CrateDepression malware leveraged a similar typosquatting technique hosting a malicious crate named ‘rustdecimal’ in an attempt to imitate the legitimate ‘rust_decimal' package.

Prevented by: Jamf Protect threat prevention blocks the execution of this malware.

Malicious URLs (as published by Sonatype):

Worried that malware might try to take a bite out of you and your macOS fleet? Take Jamf Protect for a spin!

Jamf de-fangs security threats, keeping your organization operating smoothly while keeping data safe.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.