A threat actor has uploaded to the PyPI (Python Package Index) repository three malicious packages that carry code to drop info-stealing malware on developers’ systems.
The malicious packages, discovered by Fortinet, were all uploaded by the same author named ‘Lolip0p’ between January 7 and 12, 2023. Their names are ‘colorslib,’ ‘httpslib,’ and ‘libhttps.’ All three have been reported and removed from the PyPI.
PyPI is the most widely used repository for Python packages that software developers use to source the building blocks of their projects.
Unfortunately, its popularity makes it a attractive for threat actors targeting developers or their projects. Typically, malicious packages are uploaded masquerading as something useful or they mimic renowned projects by modifying their name.
PyPI doesn’t have the resources to scrutinize all package uploads, so it relies on user reports to find and remove malicious files. By the time they are deleted, though, the bad packages usually count several hundred downloads.