Python Builders Warned of Trojanized PyPI Packages Mimicking Fashionable Libraries

Python Builders Warned of Trojanized PyPI Packages Mimicking Fashionable Libraries

Feb 23, 2023Ravie LakshmananSoftware program Safety / Provide Chain Assault

Python Builders Warned of Trojanized PyPI Packages Mimicking Fashionable Libraries

Cybersecurity researchers are warning of “imposter packages” mimicking standard libraries out there on the Python Bundle Index (PyPI) repository.

The 41 malicious PyPI packages have been discovered to pose as typosquatted variants of official modules equivalent to HTTP, AIOHTTP, requests, urllib, and urllib3. The names of the packages are as follows:

aio5, aio6, htps1, httiop, httops, httplat, httpscolor, httpsing, httpslib, httpsos, httpsp, httpssp, httpssus, httpsus, httpxgetter, httpxmodifier, httpxrequester, httpxrequesterv2, httpxv2, httpxv3, libhttps, piphttps, pohttp, requestsd, requestse, requestst, ulrlib3, urelib3, urklib3, urlkib3, urllb, urllib33, urolib3, xhttpsp

“The descriptions for these packages, for essentially the most half, do not trace at their malicious intent,” ReversingLabs researcher Lucija Valentić stated in a brand new writeup. “Some are disguised as actual libraries and make flattering comparisons between their capabilities and people of recognized, official HTTP libraries.”

However in actuality, they both harbor downloaders that act as a conduit to ship second-stage malware to contaminated hosts or data stealers which are designed to exfiltrate delicate information equivalent to passwords and tokens.

Fortinet, which additionally disclosed related rogue HTTP packages on PyPI earlier this week, famous their means to launch a trojan downloader that, in flip, incorporates a DLL file (Rdudkye.dll) packing a wide range of features.


Uncover the Hidden Risks of Third-Celebration SaaS Apps

Are you conscious of the dangers related to third-party app entry to your organization’s SaaS apps? Be part of our webinar to study concerning the sorts of permissions being granted and the way to decrease danger.


The event is simply the most recent try by malicious actors to poison open supply repositories like GitHub, npm, PyPI, and RubyGems to propagate malware to developer methods and mount provide chain assaults.

The findings come a day after Checkmarx detailed a surge in spam packages within the open supply npm registry which are designed to redirect victims to phishing hyperlinks.

“As with different provide chain assaults, malicious actors are relying on typosquatting creating confusion and relying on incautious builders to embrace malicious packages with similar-sounding names accidentally,” Valentić stated.

Discovered this text fascinating? Observe us on Twitter and LinkedIn to learn extra unique content material we submit.