Cybersecurity researchers have identified 41 malicious Python packages on the Python Package Index (PyPI) repository posing as legitimate modules such as HTTP, requests, and urllib3. The malicious packages use names such as aio5, htps1, httiop, httplat, httpscolor, httpsus, and urolib3, among others. The descriptions of these packages appear innocuous, some even make flattering comparisons with legitimate libraries, and the packages are capable of acting as conduits for second-stage malware or stealing sensitive data like passwords and tokens.
The modus operandi of these imposter packages is to poison the open source repositories to propagate malware to developer systems, a growing trend that malicious actors have adopted to mount supply chain attacks. Just this week, Fortinet disclosed similar rogue HTTP packages on PyPI capable of launching a trojan downloader that contains a DLL file (Rdudkye.dll) with various functions.
Typosquatting, where malicious actors use misspellings to create confusion and entice developers to install malware-infested packages with similar-sounding names, is an essential technique for these supply chain attacks. Python is the latest open-source repository to face the challenge of typosquatting after npm, RubyGems, and GitHub were previously targeted.
These incidents once again highlight the need for software developers to be vigilant when downloading packages from open-source repositories. Developers should also ensure that they only use trusted libraries from reliable sources and update their systems regularly to the latest patches and fixes. Additionally, it is essential to implement robust cybersecurity measures and protocols to secure the software supply chain and avoid being vulnerable to malicious attacks.
