BTC $56772.0455
ETH $3229.2692
BNB $393.0365
SOL $106.6536
stETH $3224.6597
XRP $0.5621
ADA $0.6137
AVAX $38.6261
DOGE $0.0960
TRX $0.1415
wstETH $3753.2551
DOT $8.0619
LINK $18.8685
WETH $3222.5827
MATIC $1.0217
UNI $10.5943
WBTC $56672.8182
IMX $3.2827
ICP $12.8638
BCH $296.0952
LTC $73.4211
CAKE $3.1049
LEO $4.3751
ETC $27.6986
FIL $7.7121
KAS $0.1681
RNDR $7.1714
DAI $0.9992
HBAR $0.1085
ATOM $10.9103
INJ $37.3719
VET $0.0480
TON $2.1032
OKB $51.5043
FDUSD $1.0007
LDO $3.4620
STX $3.0518
XMR $133.5710
ARB $1.8885
XLM $0.1189
GRT $0.2844
TIA $16.9400
NEAR $3.9210
ENS $21.6903
MKR $2126.5962
WEMIX $2.0704
APEX $2.3723
BTC $56772.0455
ETH $3229.2692
BNB $393.0365
SOL $106.6536
stETH $3224.6597
XRP $0.5621
ADA $0.6137
AVAX $38.6261
DOGE $0.0960
TRX $0.1415
wstETH $3753.2551
DOT $8.0619
LINK $18.8685
WETH $3222.5827
MATIC $1.0217
UNI $10.5943
WBTC $56672.8182
IMX $3.2827
ICP $12.8638
BCH $296.0952
LTC $73.4211
CAKE $3.1049
LEO $4.3751
ETC $27.6986
FIL $7.7121
KAS $0.1681
RNDR $7.1714
DAI $0.9992
HBAR $0.1085
ATOM $10.9103
INJ $37.3719
VET $0.0480
TON $2.1032
OKB $51.5043
FDUSD $1.0007
LDO $3.4620
STX $3.0518
XMR $133.5710
ARB $1.8885
XLM $0.1189
GRT $0.2844
TIA $16.9400
NEAR $3.9210
ENS $21.6903
MKR $2126.5962
WEMIX $2.0704
APEX $2.3723
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Malicious packages were hosted on a popular repository


    Several hundred people managed to download malicious software onto their computers.

    This month, an unknown attacker under the nickname “Lolip0p” uploaded three malicious packages to the PyPI (Python Package Index) repository that contain code for the subsequent installation of infostealers.

    The malicious packages detected by Fortinet were uploaded between January 7 and 12, 2023. The names of these packages are as follows: "colorslib", "httpslib" and "libhttps". All three were removed from PyPI upon discovery.

    PyPI is the most widely used repository for Python packages that software developers use to speed up their work.

    Unfortunately, the repository's popularity also makes it attractive to attackers targeting developers or their projects. As a rule, malicious packages are uploaded to PyPI under the guise of something useful. Or they simply imitate well-known projects, thanks to a changed name.

    PyPI does not have the resources to thoroughly check all downloaded packages, so the service relies solely on user reports to identify and remove malicious files in a timely manner. However, by the time they are removed, the malware already has several hundred downloads.

    Unlike typical malware uploads on PyPI, the “trio” detected by Fortinet contains full detailed descriptions that are normally used in normal packages. This lulls the vigilance of developers, and they voluntarily download malicious software onto their computer.

    The package name does not imitate some other project. And in the description, the attackers are deliberately trying to convince the developer that the package code is absolutely safe and reliable, and it also performs many useful functions.

    According to the PyPI Package Statistics Count Service, the three malicious entries had the following number of downloads at the time of removal:

    colorslib - 248 downloads
    httpslib - 233 downloads
    libhttps - 68 downloads

    While the number of downloads may seem small, the potential impact of an infection if these cases are seen as part of a chain is very significant.

    All three packages contain the same malicious setup.py file that tries to launch PowerShell. The installer downloads the executable "Oxyz.exe" from a suspicious URL. The program, in turn, steals data from the browser.

    BleepingComputer found that "Oxyz.exe" is also distributed as a free Discord Nitro subscription generator. Also, at least one of the executable processes in this file is used to collect Discord tokens. So, presumably, this is just part of a larger campaign to steal information and other data from infected devices.

    The detection rates for all three files used in this attack are quite low, ranging from 4.5% to 13.5%. This allows malicious files in most cases to avoid detection by the antivirus installed on the victim's computer.

    Unfortunately, even after removing these packages from PyPI, attackers can still re-download them under a different name.

    To ensure the security of their projects, software developers must carefully select packages to download. Check both the authors of the package and the code itself for suspicious or malicious intent.

    Author DeepWeb
    [TROJAN HORSE] data thieves penetrate the computer along with pirated software
    What vulnerabilities will be the main threats in 2023?

    Comments 0

    Add comment