The malicious packages were uploaded by a threat actor using the alias “Lolip0p,” who dropped info-stealing malware on targeted devices.
Fortinet FortiGuard Labs’ researchers have discovered three malicious PyPI repositories. According to their analysis, these packages are designed to infect compromised devices with malware.
For your information, PyPI (Python Package Index) is the world’s most widely used repository for Python packages used by software developers building projects. Threat actors often use malicious packages against Python developers. Just a couple of months ago, malicious packages were found swapping out the crypto addresses of Python developers.
Further probe revealed that the packages were uploaded by a threat actor using the alias Lolip0p. The rogue packages contain code that drops info-stealing malware on the developer’s device.
According to researchers, these packages were uploaded between 7th and 12th January 2023 with the names’ colorslib’ versions 4.6.11 and 4.6.12, ‘httpslib’ versions 4.6.9 and 4.6.11, and ‘libhttps’ version 4.6.12.
However, all malicious packages were removed from the PyPI on January 17th, 2023 after Fortinet tipped them. However, by that time, the packages had been downloaded more than 550 times. Pepy.tech, a PyPI package stat counting service, broke down the download count of these packages by the time these were removed.
- Colorslib – 248 downloads
- httpslib – 233 downloads
- libhttps – 68 downloads
Moreover, the threat actors can reupload them later if they want to. Hence, the threat isn’t over yet. These modules contain similar setup scripts created to invoke PowerShell and execute a malicious binary titled Oxzy.exe, which is also distributed as a free Discord Nitro generator. This file is hosted on Dropbox. When this executable is launched, another binary titled update.exe is retrieved, which runs the Windows temporary folder stored at (“%USER%\AppData\Local\Temp\”).
This second file contains an information stealer that can also drop additional binaries. Microsoft reports that one of these binaries is Wacatac. The trojan can perform numerous actions, such as launching ransomware and different payloads.
The creator of these packages has made them appear legitimate and harmless by including a “convincing project description,” stated Fortinet researcher Jin Lee. But these packages actually download and run the malicious binary executable.
Users must exercise caution when downloading/running packages from unreliable sources to evade supply chain attacks.
- Gentoo Linux on Github hacked; repositories modified
- GitHub fixes critical flaw that exposed repositories to attackers
- Thousands of GitHub Repositories Cloned in Supply Chain Attack
- 6 official Python repositories plagued with cryptomining malware
- Typosquatting used in trojanizing 700 libraries in Ruby Repository