Malicious ‘Lolip0p’ PyPi packages install info-stealing malware

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,407
A threat actor has uploaded to the PyPI (Python Package Index) repository three malicious packages that carry code to drop info-stealing malware on developers' systems.

The malicious packages, discovered by Fortinet, were all uploaded by the same author named 'Lolip0p' between January 7 and 12, 2023. Their names are 'colorslib,' 'httpslib,' and 'libhttps.' All three have been reported and removed from the PyPI.
Unfortunately, even after removing those packages from the PyPI, threat actors can still re-upload them at a later time under a different name.

To ensure the safety and security of their projects, software developers should pay attention selecting packages for download. This includes checking the package's authors and reviewing the code any suspicious or malicious intent.
 

vtqhtr413

Level 26
Well-known
Aug 17, 2017
1,572
Researchers have uncovered yet another supply chain attack targeting an open source code repository, showing that the technique, which has gained wide use in the past few years, isn’t going away any time soon. This time, the repository was PyPI, short for the Python Package Index, which is the official software repository for the Python programming language. Earlier this month, a contributor with the username Lolip0p uploaded three packages to PyPI titled: colorslib, httpslib, and libhttps. The contributor was careful to disguise all three as legitimate packages, in this case, as libraries for creating a terminal user interface and thread-safe connection pooling. All three packages were advertised as providing full-featured usability.
 

[correlate]

Level 18
Top Poster
Well-known
May 4, 2019
801
Over 450 malicious PyPI python packages were found installing malicious browser extensions to hijack cryptocurrency transactions made through browser-based crypto wallets and websites.
This discovery is a continuation of a campaign initially launched in November 2022, which initially started with only twenty-seven malicious PyPi packages, and now greatly expanding over the past few months.
These packages are being promoted through a typosquatting campaign that impersonates popular packages but with slight variations, such as an altered or swapped character. The goal is to deceive software developers into downloading these malicious packages instead of the legitimate ones.
As Phylum explains in a report published on Friday, in addition to scaling up the campaign, the threat actors now utilize a novel obfuscation method that involves using Chinese ideographs in function and variable names.
New typosquatting
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top