A threat actor called Lolip0p has uploaded three malicious packages to the Python Package Index (PyPI) repository containing code for deploying infostealer malware on targeted systems.
The author uploaded the packages named ‘colorslib,’ ‘httpslib,’ and ‘libhttps’ earlier this month. Fortunately, all three packages are now removed from the repository.
The threat actor called Lolip0p has exploited the popularity of the PyPI repository.
PyPi is one of the most used repositories for Python packages that software devs utilise to find the building blocks for their projects. Its popularity attracted hackers like Lolip0p to target developers or projects.
Hackers commonly upload malicious packages since they can spoof software developers could use for projects.
However, the current campaign from Lolip0p did not follow the same standard method for the attack. According to investigations, the three packages uploaded to PyPI do not seek to deceive potential victims by impersonating other products. Instead, these packages are helpful toolset that does not include malicious code.
Based on reports, the malicious packages provided a complete description of what it provides for a developer. Hence, the hacker could convince more developers that it is a legitimate and safe product.
Unfortunately, the trio of packages from the threat actor has accumulated numerous downloads based on a recent tally from the repository last week. Colorslib was downloaded 248 times, httpslib has 233, and libhttps gathered 68.
The number of downloads for ordinary users may appear small, but every relevant individual could feel the possible effect of these infections through a big-time supply chain campaign.
Furthermore, the three packages feature the same malicious setup[.]py file that tries to operate PowerShell that retrieves an executable from a URL called Oxyz[.]exe. Additionally, this malware strain could steal browser information from a victim.
The level of sophistication from threat actors has been very high recently since they have been very tricky in their approach and how to deceive targeted individuals. Therefore, software devs should be very meticulous in selecting packages for downloads to ensure the safety and security of their projects.
Experts highly recommend that devs should review that package’s author and check the code to see if there is any malicious intent behind it.
