Threat actor as the name suggests Lolip0p uploaded three malicious packages to the Python Package Index (PyPI) repository designed to drop malware on compromised developer systems.
Packages – By the author between Jan 7 and Jan 12, 2023, colorslib (versions 4.6.11 and 4.6.12), httpslib (versions 4.6.9 and 4.6.11), and libhttps (version 4.6.12 ) was named. Since 2023 they have been yanked from PyPI, but not before they have been downloaded more than 550 times cumulatively.
These modules come with identical setup scripts designed to launch PowerShell and run a malicious binary (“Oxzy.exe”) hosted on Dropbox, Fortinet said last week. made clear in the published report.
When the executable is launched, it triggers the next stage of fetching a binary also named update.exe that runs in the Windows temporary folder (“%USER%\AppData\Local\Temp\”).
update.exe has been flagged by VirusTotal’s antivirus vendors as an information stealer that can also drop additional binaries, one of which is detected by Microsoft as Wacatac.
Windows manufacturers describe the Trojan as a threat that “allows malicious hackers to perform many actions of their choosing on your PC,” including delivering ransomware and other payloads.
Fortinet FortiGuard Labs researcher Jin Lee said: “However, these packages download and execute malicious binary executables.”
The disclosure comes several weeks after Fortinet discovered two other malicious packages named Shaderz and aioconsol. These packages contain similar functionality to collect and steal sensitive personal information.
The findings once again show the constant stream of malicious activity recorded in popular open source package repositories. There, attackers are leveraging trust relationships to plant tainted code to extend and extend the scope of infection.
To avoid falling prey to supply chain attacks, be careful when downloading and executing packages from untrusted authors.
