Feb 23, 2023Ravie LakshmananSoftware Security / Supply Chain Attack

Cybersecurity researchers are warning of “imposter packages” mimicking popular libraries available on the Python Package Index (PyPI) repository.

The 41 malicious PyPI packages have been found to pose as typosquatted variants of legitimate modules such as HTTP, AIOHTTP, requests, urllib, and urllib3. The names of the packages are as follows:

aio5, aio6, htps1, httiop, httops, httplat, httpscolor, httpsing, httpslib, httpsos, httpsp, httpssp, httpssus, httpsus, httpxgetter, httpxmodifier, httpxrequester, httpxrequesterv2, httpxv2, httpxv3, libhttps, piphttps, pohttp, requestsd, requestse, requestst, ulrlib3, urelib3, urklib3, urlkib3, urllb, urllib33, urolib3, xhttpsp

“The descriptions for these packages, for the most part, don’t hint at their malicious intent,” ReversingLabs researcher Lucija Valentić said in a new writeup. “Some are disguised as real libraries and make flattering comparisons between their capabilities and those of known, legitimate HTTP libraries.”

But in reality, they either harbor downloaders that act as a conduit to deliver second-stage malware to infected hosts or information stealers that are designed to exfiltrate sensitive data such as passwords and tokens.

Fortinet, which also disclosed similar rogue HTTP packages on PyPI earlier this week, noted their ability to launch a trojan downloader that, in turn, contains a DLL file (Rdudkye.dll) packing a variety of functions.

The development is just the latest attempt by malicious actors to poison open source repositories like GitHub, npm, PyPI, and RubyGems to propagate malware to developer systems and mount supply chain attacks.

The findings come a day after Checkmarx detailed a surge in spam packages in the open source npm registry that are designed to redirect victims to phishing links.

“As with other supply chain attacks, malicious actors are counting on typosquatting creating confusion and counting on incautious developers to embrace malicious packages with similar-sounding names by accident,” Valentić said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

Religion events in the San Fernando Valley, March 25-April 1
Modest Mouse, Pixies, and Cat Power to Embark on North American Tour
MARCH SADNESS: Sad Country Songs Elite Eight Voting Is Now LIVE
Spring 2023 YA Books You’ll Want to TBR ASAP
Lady Gaga Steps Out as Harley Quinn in ‘Joker 2’ Set Photos

Leave a Reply

Your email address will not be published. Required fields are marked *