Security News > 2023 > January > Malicious ‘Lolip0p’ PyPi packages install info-stealing malware
A threat actor has uploaded to the PyPI repository three malicious packages that carry code to drop info-stealing malware on developers' systems.
' All three have been reported and removed from the PyPI. PyPI is the most widely used repository for Python packages that software developers use to source the building blocks of their projects.
Typically, malicious packages are uploaded masquerading as something useful or they mimic renowned projects by modifying their name.
PyPI doesn't have the resources to scrutinize all package uploads, so it relies on user reports to find and remove malicious files.
All three packages feature the same malicious 'setup.
To ensure the safety and security of their projects, software developers should pay attention selecting packages for download. This includes checking the package's authors and reviewing the code any suspicious or malicious intent.