Programmers: look out for these infostealers on the Python Package Index

By Scott Marlette Last updated Jan 17, 2023

Three malicious packages carrying infostealers were recently discovered, and subsequently removed, from the PyPI repository.

Researchers from Fortinet found three packages, uploaded between January 7 and 12, by a user named “Lollip0p”. These three are called “colorslib”, “httpslib”, and “libhttps”, and if you’ve used them before, make sure to remove them immediately.

Usually, cybercriminals looking to compromise Python developer endpoints via PyPI will try typosquatting – giving their malicious packages names almost identical to others belonging to legitimate projects. That way, developers who are either reckless, or in a hurry, might unknowingly use the malicious one, instead of the clean one.

Stealing browser data

This campaign, however, is different, as these three have unique names. To build trust, the attacker drafted complete descriptions for the packages. While the total download count for these three hardly surpassed 500, it might still prove devastating if it’s a part of a larger supply chain, the publication states.

In all three cases, the attackers are distributing a file called “setup.py” which, after running a PowerShell, tries to download the “Oxyz.exe” executable from the internet. This executable, the researchers are saying, is malicious, and steals browser information. We don’t know exactly what type of information the malware (opens in new tab) is looking to steal, but infostealers usually go for saved passwords, credit card data, cryptocurrency wallets, and other valuable information.

The report also found that the detection rate for these executables are relatively low (up to 13.5%), meaning the attackers can successfully siphon out data even from endpoints protected by antivirus solutions.

While the malicious packages have been removed from PyPI already, nothing is stopping the attackers from simply uploading them with a different name, and from a different account. That being said, the best way to protect against this type of supply chain attack is to be particularly careful when downloading code building blocks from repositories.

Via: BleepingComputer (opens in new tab)

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.