Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
thnThe Hacker NewsTHN:CDCD529147B2FE17123030EA2AB81B67
HistoryJan 17, 2023 - 6:36 a.m.

Researchers Uncover 3 PyPI Packages Spreading Malware to Developer Systems

2023-01-1706:36:00
The Hacker News
thehackernews.com
28
pypi
malware
rogue packages
supply chain attacks
information stealer
ransomware
developer systems
JSON

PyPI Package

A threat actor by the name Lolip0p has uploaded three rogue packages to the Python Package Index (PyPI) repository that are designed to drop malware on compromised developer systems.

The packages – named colorslib (versions 4.6.11 and 4.6.12), httpslib (versions 4.6.9 and 4.6.11), and libhttps (version 4.6.12) – by the author between January 7, 2023, and January 12, 2023. They have since been yanked from PyPI but not before they were cumulatively downloaded over 550 times.

The modules come with identical setup scripts that are designed to invoke PowerShell and run a malicious binary (“Oxzy.exe”) hosted on Dropbox, Fortinet disclosed in a report published last week.

The executable, once launched, triggers the retrieval of a next-stage, also a binary named update.exe, that runs in the Windows temporary folder ("%USER%\AppData\Local\Temp").

update.exe is flagged by antivirus vendors on VirusTotal as an information stealer that’s also capable of dropping additional binaries, one of which is detected by Microsoft as Wacatac.

The Windows maker describes the trojan as a threat that “can perform a number of actions of a malicious hacker’s choice on your PC,” including delivering ransomware and other payloads.

“The author also positions each package as legitimate and clean by including a convincing project description,” Fortinet FortiGuard Labs researcher Jin Lee said. “However, these packages download and run a malicious binary executable.”

The disclosure arrives weeks after Fortinet unearthed two other rogue packages by the names of Shaderz and aioconsol that harbor similar capabilities to gather and exfiltrate sensitive personal information.

The findings once again demonstrate the steady stream of malicious activity recorded in popular open source package repositories, wherein threat actors are taking advantage of the trust relationships to plant tainted code in order to amplify and extend the reach of the infections.

Users are advised to exercise caution when it comes to downloading and running packages from untrusted authors to avoid falling prey to supply chain attacks.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

JSON