Researchers Uncover 3 PyPI Packages Spreading Malware to Developer Systems

Jan 17, 2023Ravie LakshmananSoftware Security / Supply Chain

PyPI Package

A threat actor by the name Lolip0p has uploaded three rogue packages to the Python Package Index (PyPI) repository that are designed to drop malware on compromised developer systems.

The packages – named colorslib (versions 4.6.11 and 4.6.12), httpslib (versions 4.6.9 and 4.6.11), and libhttps (version 4.6.12) – by the author between January 7, 2023, and January 12, 2023. They have since been yanked from PyPI but not before they were cumulatively downloaded over 550 times.

The modules come with identical setup scripts that are designed to invoke PowerShell and run a malicious binary ("Oxzy.exe") hosted on Dropbox, Fortinet disclosed in a report published last week.

The executable, once launched, triggers the retrieval of a next-stage, also a binary named update.exe, that runs in the Windows temporary folder ("%USER%\AppData\Local\Temp\").

update.exe is flagged by antivirus vendors on VirusTotal as an information stealer that's also capable of dropping additional binaries, one of which is detected by Microsoft as Wacatac.

The Windows maker describes the trojan as a threat that "can perform a number of actions of a malicious hacker's choice on your PC," including delivering ransomware and other payloads.

"The author also positions each package as legitimate and clean by including a convincing project description," Fortinet FortiGuard Labs researcher Jin Lee said. "However, these packages download and run a malicious binary executable."

The disclosure arrives weeks after Fortinet unearthed two other rogue packages by the names of Shaderz and aioconsol that harbor similar capabilities to gather and exfiltrate sensitive personal information.

The findings once again demonstrate the steady stream of malicious activity recorded in popular open source package repositories, wherein threat actors are taking advantage of the trust relationships to plant tainted code in order to amplify and extend the reach of the infections.

Users are advised to exercise caution when it comes to downloading and running packages from untrusted authors to avoid falling prey to supply chain attacks.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.