Malicious ‘Lolip0p’ PyPi packages install info-stealing malware

[silversurfer]

Content source

https://www.bleepingcomputer.com/news/security/malicious-lolip0p-pypi-packages-install-info-stealing-malware/

A threat actor has uploaded to the PyPI (Python Package Index) repository three malicious packages that carry code to drop info-stealing malware on developers' systems.

The malicious packages, discovered by Fortinet, were all uploaded by the same author named 'Lolip0p' between January 7 and 12, 2023. Their names are 'colorslib,' 'httpslib,' and 'libhttps.' All three have been reported and removed from the PyPI.

Unfortunately, even after removing those packages from the PyPI, threat actors can still re-upload them at a later time under a different name.

To ensure the safety and security of their projects, software developers should pay attention selecting packages for download. This includes checking the package's authors and reviewing the code any suspicious or malicious intent.

Malicious ‘Lolip0p’ PyPi packages install info-stealing malware

A threat actor has uploaded to the PyPI (Python Package Index) repository three malicious packages that carry code to drop info-stealing malware on developers' systems.

www.bleepingcomputer.com

 

[vtqhtr413]

Researchers have uncovered yet another supply chain attack targeting an open source code repository, showing that the technique, which has gained wide use in the past few years, isn’t going away any time soon. This time, the repository was PyPI, short for the Python Package Index, which is the official software repository for the Python programming language. Earlier this month, a contributor with the username Lolip0p uploaded three packages to PyPI titled: colorslib, httpslib, and libhttps. The contributor was careful to disguise all three as legitimate packages, in this case, as libraries for creating a terminal user interface and thread-safe connection pooling. All three packages were advertised as providing full-featured usability.

More malicious packages posted to online repository. This time it’s PyPI

It's not always easy to spot malicious impostors posing as legit downloads.

arstechnica.com

 

[[correlate]]

Over 450 malicious PyPI python packages were found installing malicious browser extensions to hijack cryptocurrency transactions made through browser-based crypto wallets and websites.
This discovery is a continuation of a campaign initially launched in November 2022, which initially started with only twenty-seven malicious PyPi packages, and now greatly expanding over the past few months.
These packages are being promoted through a typosquatting campaign that impersonates popular packages but with slight variations, such as an altered or swapped character. The goal is to deceive software developers into downloading these malicious packages instead of the legitimate ones.
As Phylum explains in a report published on Friday, in addition to scaling up the campaign, the threat actors now utilize a novel obfuscation method that involves using Chinese ideographs in function and variable names.
New typosquatting

451 PyPI packages install Chrome extensions to steal crypto

Over 450 malicious PyPI python packages were found installing malicious Chromium browser extensions to hijack cryptocurrency transactions made through browser-based crypto wallets and websites.

www.bleepingcomputer.com