Rouge Package in PyPI Repository
Researchers have discovered three malicious PyPI packages on the PyPI repository that were uploaded by the same actor, Lolip0p. The packages were discovered on January 10, 2023, and the packages “colorslib” and “httpslib” were published on January 7, 2023, while “libhttps” was published on January 12, 2023.
The packages were designed to drop malware on compromised developer systems and downloaded over 550 times in total.
The packages use an identical setup.py script that runs a PowerShell and runs a malicious executable (“Oxzy.exe“) hosted on Dropbox. The download URL has not previously been labeled as malicious, while the downloaded executable was identified as malicious by some security vendors.
Upon executing the file, another binary named update.exe is executed in a temporary folder
The malware Wacatac is dropped on the developers’ systems, which can perform a broad range of malicious activities and deliver additional malicious payloads.
Python end users should always perform due diligence before downloading and running any packages, especially from new authors.
This research was documented by researchers from Fortiguard labs
Indicators of Compromise