A threat actor by the name Lolip0p has uploaded three rogue packages to the Python Package Index (PyPI) repository that are designed to drop malware on compromised developer systems.
The packages – named colorslib (versions 4.6.11 and 4.6.12), httpslib (versions 4.6.9 and 4.6.11), and libhttps (version 4.6.12) – by the author between January 7, 2023, and January 12, 2023. They have since been yanked from PyPI but not before they were cumulatively downloaded over 550 times.
The executable, once launched, triggers the retrieval of a next-stage, also a binary named update.exe, that runs in the Windows temporary folder (“%USER%\AppData\Local\Temp\”).
update.exe is flagged by antivirus vendors on VirusTotal as an information stealer that’s also capable of dropping additional binaries, one of which is detected by Microsoft as Wacatac.
“The author also positions each package as legitimate and clean by including a convincing project description,” Fortinet FortiGuard Labs researcher Jin Lee said. “However, these packages download and run a malicious binary executable.”
The disclosure arrives weeks after Fortinet unearthed two other rogue packages by the names of Shaderz and aioconsol that harbor similar capabilities to gather and exfiltrate sensitive personal information.
The findings once again demonstrate the steady stream of malicious activity recorded in popular open source package repositories, wherein threat actors are taking advantage of the trust relationships to plant tainted code in order to amplify and extend the reach of the infections.
Users are advised to exercise caution when it comes to downloading and running packages from untrusted authors to avoid falling prey to supply chain attacks.