Checkmarx Zero researcher Ariel Harush has discovered evidence of a malicious package campaign that is consistent with live adversarial activity and adversarial research and testing. This campaign targets Python and NPM users on Windows and Linux via typo-squatting and name-confusion attacks against colorama (a widely-used Python package for colorizing terminal output) on PyPI and the similar colorizr JavaScript package on NPM. These malicious packages were uploaded to PyPI.

• Multiple packages uploaded to PyPI with significantly risky payloads were uploaded with names similar to legitimate packages in both PyPI and NPM.
• The tactic of using the name from one ecosystem (NPM) to attack users of a different ecosystem (PyPI) is unusual.
• Payloads allow persistent remote access to and remote control of desktops and servers, as well as harvesting and exfiltrating sensitive data.
• Windows payloads attempt to bypass antivirus/endpoint protection controls to avoid detection.
• Packages have been removed from public repositories, limiting immediate potential for damage.
  These behaviors are consistent with targeted adversarial activity and coordinated campaigns. It is likely, based on this pattern, that these were created either to attack a particular target or set of targets. No clear attribution data is currently available, so we do not know whether this campaign is connected to a well-known adversary.

Cross-Platform Supply Chain Attacks Targeting Users of

The Socket Research team investigates a malicious Python package disguised as a Discord error logger that executes remote commands and exfiltrates data via a covert C2 channel.
On March 21, 2022, a Python package ‘discordpydebug’ was uploaded to the Python Package Index (PyPI) under the name "Discord py error logger." At first glance, it appeared to be a simple utility aimed at developers working on Discord bots using the Discord.py library. However, the package concealed a fully functional remote access trojan (RAT). Over time, the package reached over 11,000 downloads, placing thousands of developer systems at risk.

The package targeted developers who build or maintain Discord bots, typically indie developers, automation engineers, or small teams who might install such tools without extensive scrutiny. Since PyPI doesn’t enforce deep security audits of uploaded packages, attackers often take advantage of this by using misleading descriptions, legitimate-sounding names, or even copying code from popular projects to appear trustworthy. In this case, the goal was to lure unsuspecting developers into installing a backdoor disguised as a debugging aid.

Discord’s developer ecosystem is both massive and tightly knit. With over 200 million monthly active users, more than 25% of whom interact with third-party apps, Discord has rapidly evolved into a platform where developers not only build but also live test, share, and iterate on new ideas directly with their users. Public and private servers dedicated to development topics foster an informal, highly social culture where tips, tools, and code snippets are shared freely and often used with little scrutiny. It’s within these trusted peer-to-peer spaces that threat actors can exploit social engineering tactics, positioning themselves as helpful community members and promoting tools like discordpydebug under the guise of debugging utilities.

The fact that this package was downloaded over 11,000 times, despite having no README or documentation, highlights how quickly trust can be weaponized in these environments. Whether spread via casual recommendation, targeted DMs, or Discord server threads, such packages can gain traction before ever being formally vetted.

Socket’s Threat Research Team uncovered malicious Python packages designed to create a tunnel via Gmail. The threat actor’s email is the only potential clue as to their motivation, but once the tunnel is created, the threat actor can exfiltrate data or execute commands that we may not know about through these packages. These seven packages:

Coffin-Codes-Pro
Coffin-Codes-NET2
Coffin-Codes-NET
Coffin-Codes-2022
Coffin2022
Coffin-Grave
cfc-bsb
use Gmail, making these attempts less likely to be flagged by firewalls and endpoint detection systems since SMTP is commonly treated as legitimate traffic.

These packages have since been removed from the Python Package Index (PyPI).

Learn how JFrog detected a malicious package that steals MEXC credentials and crypto trading tokens to buy and sell futures on crypto trading platforms.

A newly discovered malicious PyPi package named 'disgrasya' that abuses legitimate WooCommerce stores for validating stolen credit cards has been downloaded over 34,000 times from the open-source package platform.

Yesterday, Phylum's automated risk detection platform discovered that the PyPI package aiocpa was updated to include malicious code that steals private keys by exfiltrating them through Telegram when users initialize the crypto library. While the attacker published this malicious update to PyPI, they deliberately kept the package's GitHub repository clean

• A package called “lr-utils-lib” was uploaded to PyPi in early June 2024, containing malicious code that executes automatically upon installation.
• The malware uses a list of predefined hashes to target specific macOS machines and attempts to harvest Google Cloud authentication data.
• The harvested credentials are sent to a remote server.

An information-stealing script embedded in a Python package on the popular repository PyPI appears to be connected to a cybercriminal operation based in Iraq, according to researchers at Checkmarx.

Sonatype's automated malware detection systems identified a malicious PyPI package called crytic-compilers, connected to Russia-linked Lumma Windows stealer, and named very closely after a well-known legitimate Python library that is used by cryptocurrency developers.

Cybercriminals are abusing Stack Overflow in an interesting approach to spreading malware—answering users' questions by promoting a malicious PyPi package that installs Windows information-stealing malware.

In this post, we analyze a cluster of malicious PyPI packages targeting specific MacOS machines.

Automation is making attacks on open source code repositories harder to fight.

An info-stealing PyPI malware author was identified discreetly uploading malicious packages.

FortiGuard Labs cover the attack phases of three new PyPI packages that bear a resemblance to the culturestreak PyPI package discovered earlier this year. Learn more.

The past year has seen over 10,000 downloads of malicious packages hosted on the official Python package repository, ESET research finds.

Security Researcher Tom Forbes worked with the GitGuardian team to analyze all the code committed to PyPi packages and surfaced thousands of hardcoded credentials.

During the month of September, an attacker operating under the pseudonym "kohlersbtuh15", attempted to exploit the open-source community by uploading a series of malicious packages to the PyPi package manager. Based on the names of these packages and the code contained within them, it appears that this attacker targeted developers that use Aliyun services (Alibaba Cloud), telegram, and AWS.

Malicious packages uploaded to PyPI, NPM, and Ruby repositories are targeting macOS users with information stealing malware.

Phylum has identified a malware campaign spanning PyPI, npm and RubyGems. Delivering early stage malware to users.

In early August, ReversingLabs identified a malicious supply chain campaign that the research team dubbed “VMConnect.” That campaign consisted of two dozen malicious Python packages posted to the Python Package Index (PyPI) open-source repository. The packages mimicked popular open-source Python tools, including vConnector, a wrapper module for pyVmomi VMware vSphere bindings; eth-tester, a collection of tools for testing Ethereum-based applications; and databases, a tool that gives asynchronous support for a range of databases.