Three malicious packages carrying infostealers were recently discovered, and subsequently removed, from the PyPI repository.
Researchers from Fortinet found three packages, uploaded between January 7 and 12, by a user named “Lollip0p”. These three are called “colorslib”, “httpslib”, and “libhttps”, and if you’ve used them before, make sure to remove them immediately.
Usually, cybercriminals looking to compromise Python developer endpoints via PyPI will try typosquatting – giving their malicious packages names almost identical to others belonging to legitimate projects. That way, developers who are either reckless, or in a hurry, might unknowingly use the malicious one, instead of the clean one.
Stealing browser data
This campaign, however, is different, as these three have unique names. To build trust, the attacker drafted complete descriptions for the packages. While the total download count for these three hardly surpassed 500, it might still prove devastating if it’s a part of a larger supply chain, the publication states.
In all three cases, the attackers are distributing a file called “setup.py” which, after running a PowerShell, tries to download the “Oxyz.exe” executable from the internet. This executable, the researchers are saying, is malicious, and steals browser information. We don’t know exactly what type of information the malware (opens in new tab) is looking to steal, but infostealers usually go for saved passwords, credit card data, cryptocurrency wallets, and other valuable information.
The report also found that the detection rate for these executables are relatively low (up to 13.5%), meaning the attackers can successfully siphon out data even from endpoints protected by antivirus solutions.
While the malicious packages have been removed from PyPI already, nothing is stopping the attackers from simply uploading them with a different name, and from a different account. That being said, the best way to protect against this type of supply chain attack is to be particularly careful when downloading code building blocks from repositories.
Via: BleepingComputer (opens in new tab)