BleepingComputer reports that three malicious packages have been uploaded by Lolip0p on the Python Package Index to spread information stealing malware.
All of the packages including colorslib, libhttps, and httpslib were uploaded from Jan. 7 to 12 but have already been removed from the PyPi repository, a Fortinet report revealed. The campaign also established legitimacy with the use of complete descriptions, which could deceive developers that they were using genuine resources.
While colorslib, httpslib, and libhttps have only been downloaded 248, 233, and 68 times, respectively, before their removal on Jan. 14, the impact of the infections could be significant. Researchers found the same malicious "setup.py" file that executes PowerShell to retrieve URL-based executable Oxyz.exe malware across all three packages. All packages also feature the "update.exe" file that spreads more malicious files, including "SearchProtocolHost.exe," which some antivirus systems recognize as an info-stealer.
One or more other processes dropped by the executable involve Discord token collection, indicating a general information-stealing malware operation.
