Python Developers Warned of Trojanized PyPI Packages Mimicking Popular Libraries

Cybersecurity
researchers
are
warning
of
“imposter
packages”
mimicking
popular
libraries
available
on
the
Python
Package
Index
(PyPI)
repository.

The
41
malicious
PyPI
packages
have
been
found
to
pose
as
typosquatted
variants
of
legitimate
modules
such
as
HTTP,
AIOHTTP,
requests,
urllib,
and
urllib3.
The
names
of
the
packages
are
as
follows:

aio5,
aio6,
htps1,
httiop,
httops,
httplat,
httpscolor,
httpsing,
httpslib,
httpsos,
httpsp,
httpssp,
httpssus,
httpsus,
httpxgetter,
httpxmodifier,
httpxrequester,
httpxrequesterv2,
httpxv2,
httpxv3,
libhttps,
piphttps,
pohttp,
requestsd,
requestse,
requestst,
ulrlib3,
urelib3,
urklib3,
urlkib3,
urllb,
urllib33,
urolib3,
xhttpsp

“The
descriptions
for
these
packages,
for
the
most
part,
don’t
hint
at
their
malicious
intent,”
ReversingLabs
researcher
Lucija
Valentić

said
in
a
new
writeup.
“Some
are
disguised
as
real
libraries
and
make
flattering
comparisons
between
their
capabilities
and
those
of
known,
legitimate
HTTP
libraries.”

But
in
reality,
they
either
harbor
downloaders
that
act
as
a
conduit
to
deliver
second-stage
malware
to
infected
hosts
or
information
stealers
that
are
designed
to
exfiltrate
sensitive
data
such
as
passwords
and
tokens.

Fortinet,
which
also

disclosed
similar
rogue
HTTP
packages
on
PyPI
earlier
this
week,
noted
their
ability
to
launch
a

trojan
downloader
that,
in
turn,
contains
a

DLL
file
(Rdudkye.dll)
packing
a
variety
of
functions.

The
development
is
just
the
latest
attempt
by
malicious
actors
to
poison
open
source
repositories
like
GitHub,
npm,
PyPI,
and
RubyGems
to
propagate
malware
to
developer
systems
and
mount
supply
chain
attacks.

The
findings
come
a
day
after
Checkmarx

detailed
a
surge
in
spam
packages
in
the
open
source
npm
registry
that
are
designed
to
redirect
victims
to
phishing
links.

“As
with
other
supply
chain
attacks,
malicious
actors
are
counting
on
typosquatting
creating
confusion
and
counting
on
incautious
developers
to
embrace
malicious
packages
with
similar-sounding
names
by
accident,”
Valentić
said.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts