Cybersecurity researchers warn of “spoofed packages” that mimic popular libraries available in the Python Package Index (PyPI) repository.
41 malicious PyPI packages have been found disguised as typosquatted variants of legitimate modules such as HTTP, AIOHTTP, requests, urllib, and urllib3.
The names of the packages are:
aio5, aio6, htps1, httiop, httops, httplat, httpscolor, httpsing, httpslib, httpsos, httpsp, httpssp, httpssus, httpsus, httpxgetter, httpxmodifier, httpxrequester, httpxrequesterv2, httpxv2, httpxv3, libhttps, piphttps, pohttp, requestd, requeste, requestt, ulrlib3, urelib3, urklib3, urlkib3, urllb, urllib33, urolib3, xhttpsp
ReversingLabs researcher Lucija Valentić says in a new article: “Some are masquerading as real libraries, and compliment their features with those of known legitimate HTTP libraries.”
In reality, however, they lurk either downloaders that act as conduits to deliver second-stage malware to infected hosts, or information stealers designed to steal sensitive data such as passwords and tokens.
Fortinet, which published a similar malicious HTTP package on PyPI earlier this week, pointed out that it can launch a Trojan downloader containing a DLL file (Rdudkye.dll) packed with various functions.
This development is just the latest attempt by malicious actors to pollute open source repositories such as GitHub, npm, PyPI and RubyGems to spread malware to developer systems and launch supply chain attacks.
The findings come a day after Checkmarx detailed a spike in spam packages on the open-source npm registry designed to redirect victims to phishing links.
“As with any supply chain attack, malicious actors hope to cause confusion through typosquatting, and unwary developers may accidentally create malicious packages with similar names. We expect it to be accepted,” said Valentić.
