Fortinet observed three rogue PyPI packages spreading malware

Researchers discovered three malicious packages that have been uploaded to the Python Package Index (PyPI) repository by Lolip0p group.

FortiGuard Labs researchers discovered three malicious PyPI packages (called ‘colorslib’, ‘httpslib’, and “libhttps”) on the PyPI repository that were uploaded by the same actor, Lolip0p. The packages were discovered on January 10, 2023, the packages “colorslib” and “httpslib” were published on January 7, 2023, while “libhttps” was published on January 12, 2023.

The packages are designed to drop malware on compromised developer systems.

The three packages were downloaded over 550 times in total.

The packages use an identical setup.py script that runs a PowerShell and runs a malicious executable (“Oxzy.exe“) hosted on Dropbox.

The researchers noticed that the download URL has not previously been labeled as malicious, while the downloaded executable was identified as malicious by some security vendors.

Upon executing the file, another binary named update.exe is executed in the temporary folder ‘%USER%\AppData\Local\Temp\.’

The malware (Wacatac Trojan) that is dropped on the developers’ systems can perform a broad range of malicious activities and deliver additional malicious payloads.

“The author also positions each package as legitimate and clean by including a convincing project description. However, these packages download and run a malicious binary executable.” concludes the report. “Python end users should always perform due diligence before downloading and running any packages, especially from new authors. And as can be seen, publishing more than one package in a short time period is no indication that an author is reliable.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]