Threat Research

Developers beware: Imposter HTTP libraries lurk on PyPI

Securonix

Researchers from ReversingLabs found a surge of malicious PyPI packages masquerading as HTTP libraries, using typosquatting and deceptive naming to distribute downloaders and info stealers. The campaign shows how open-source repositories continue to be abused for software supply-chain attacks, with a detailed list of suspect packages and guidance for developers.
Hashtags: #httpxv2 #httpsus #aio6 #htps1 #PyPI #Infostealer

Keypoints

  • ReversingLabs detected 41 malicious PyPI packages posing as HTTP libraries.
  • Two distinct malicious module types were identified: downloaders (to deliver second-stage malware) and info stealers (for data exfiltration).
  • Malicious packages often hide payloads in files like setup.py or __init__.py and mimic legitimate HTTP libraries.
  • Names frequently invoke the HTTP acronym to fool developers (typosquatting and impersonation).
  • Examples include Infostealer httpxv2 and Downloader httpsus; many other variants such as aio5, aio6, htps1, httpsos are listed in the report.
  • Legitimate HTTP libraries (e.g., requests, urllib, urllib3, aiohttp) are recommended alternatives; ongoing monitoring of dependencies is advised.
  • Security tools and practices, such as ReversingLabs A1000, can help analyze and classify third-party libraries for risks.

MITRE Techniques

  • [T1195] Supply Chain – Malicious PyPI packages posing as HTTP libraries are distributed to deliver malware. “Specifically, ReversingLabs detected 41 malicious PyPI packages posing as HTTP libraries…”
  • [T1059.006] Python – Malicious payloads embedded in Python files (setup.py / __init__.py) are executed as part of package import. “…This file is implicitly executed after a package has been imported somewhere.”
  • [T1027] Obfuscated/Compressed Files and Information – Payloads hidden by base64 encoding to evade detection. “…the suspicious payload of the httpsus package is slyly hidden, encoded with base64…”
  • [T1036] Masquerading – Package names invoke the HTTP acronym to mislead developers into thinking they are legitimate HTTP libraries. “…names that invoke the “HTTP” acronym — an obvious effort to fool developers into believing the package is an HTTP library.”

Indicators of Compromise

  • [Package name] Malicious PyPI packages – aio5, aio6, htps1, httpsus, httpxv2, httpxv3 (example names indicating malicious HTTP-library impersonation)
  • [SHA1] File hash – 8c80db3ea4ebf67da6839c249270184dc4fcaeab, 92bcbf74010bb056b79968cd64289d100c8a80c7 (examples from the table of malicious packages)

Read more: https://www.reversinglabs.com/blog/beware-impostor-http-libraries-lurk-on-pypi