Dozens of Malicious 'HTTP' Libraries Found on PyPI

Written by

ReversingLabs researchers have discovered a large number of malicious libraries on the Python Package Index (PyPI) repository.

According to an advisory published Wednesday by Lucija Valentic, a software threat researcher at ReversingLabs, most of the discovered files were malicious packages posing as HTTP libraries.

"The descriptions for these packages, for the most part, don't hint at their malicious intent," Valentic explained. "Some are disguised as real libraries and make flattering comparisons between their capabilities and those of known, legitimate HTTP libraries."

In particular, the ReversingLabs spotted 41 malicious PyPI packages, which the security researchers divided into two types.

The first was downloads utilized to deliver second-stage malware to compromised systems, while the second was info-stealers.

"It is not unusual for bad actors to invoke the acronym "HTTP" while naming malicious packages," Valentic said. 

She explained that developers often use HTTP libraries to communicate with appropriate APIs for third-party module functionalities.

"This background makes HTTP libraries very interesting to malicious actors and to researchers tracking malicious campaigns online," the security researcher wrote.

As for the malicious packages detected by ReversingLabs, Valentic said they shared various similarities.

"The packages contain only a few files, most with very little information identifying them, compared with legitimate software modules," she wrote in the advisory.

"The functionality and purpose contained in these packages are fictitious. The real purpose of these packages is malicious and not described."

A list of these malicious packages and detailed descriptions of some of them is available in the ReversingLabs advisory.

"Typosquatting attacks on platforms like PyPI, npm, RubyGems and GitHub are common," Valentic warned.

"Developers should frequently conduct security assessments of third-party libraries and other dependencies in their code."

The technical write-up comes days after JavaScript developer Jesse Mitchell spotted threat actors uploading over 15,000 spam packages to the open-source npm repository.

What’s hot on Infosecurity Magazine?