Several hundred people managed to download malicious software onto their computers.
This month, an unknown attacker under the nickname “Lolip0p” uploaded three malicious packages to the PyPI (Python Package Index) repository that contain code for the subsequent installation of infostealers.
The malicious packages detected by Fortinet were uploaded between January 7 and 12, 2023. The names of these packages are as follows: "colorslib", "httpslib" and "libhttps". All three were removed from PyPI upon discovery.
PyPI is the most widely used repository for Python packages that software developers use to speed up their work.
Unfortunately, the repository's popularity also makes it attractive to attackers targeting developers or their projects. As a rule, malicious packages are uploaded to PyPI under the guise of something useful. Or they simply imitate well-known projects, thanks to a changed name.
PyPI does not have the resources to thoroughly check all downloaded packages, so the service relies solely on user reports to identify and remove malicious files in a timely manner. However, by the time they are removed, the malware already has several hundred downloads.
Unlike typical malware uploads on PyPI, the “trio” detected by Fortinet contains full detailed descriptions that are normally used in normal packages. This lulls the vigilance of developers, and they voluntarily download malicious software onto their computer.
The package name does not imitate some other project. And in the description, the attackers are deliberately trying to convince the developer that the package code is absolutely safe and reliable, and it also performs many useful functions.
According to the PyPI Package Statistics Count Service, the three malicious entries had the following number of downloads at the time of removal:
colorslib - 248 downloads
httpslib - 233 downloads
libhttps - 68 downloads
While the number of downloads may seem small, the potential impact of an infection if these cases are seen as part of a chain is very significant.
All three packages contain the same malicious setup.py file that tries to launch PowerShell. The installer downloads the executable "Oxyz.exe" from a suspicious URL. The program, in turn, steals data from the browser.
BleepingComputer found that "Oxyz.exe" is also distributed as a free Discord Nitro subscription generator. Also, at least one of the executable processes in this file is used to collect Discord tokens. So, presumably, this is just part of a larger campaign to steal information and other data from infected devices.
The detection rates for all three files used in this attack are quite low, ranging from 4.5% to 13.5%. This allows malicious files in most cases to avoid detection by the antivirus installed on the victim's computer.
Unfortunately, even after removing these packages from PyPI, attackers can still re-download them under a different name.
To ensure the security of their projects, software developers must carefully select packages to download. Check both the authors of the package and the code itself for suspicious or malicious intent.