Tag: pypi
27 articles

Malicious SDKs Target Paysafe, Skrill Users with Credential Theft
Beware of malicious software development kits (SDKs) masquerading as legitimate Paysafe, Skrill, and Neteller tools, designed to secretly steal your credentials. Researchers uncovered 17 fake packages on popular platforms, putting users at risk of credential theft.

Malware Exploits GitHub PoCs to Target Cybersecurity Researchers
Cybersecurity researchers are being targeted by a sneaky new campaign that uses malicious GitHub proof-of-concept exploits to deliver a remote access trojan, with over 2,400 downloads of a trojanized Python package already recorded. The attack unfolds through a multi-stage supply-chain trick involving compromised PyPI packages.

Malicious PyPI Packages Expose Telegram Bot Servers to Hacker Control
Hackers have launched a sneaky attack, hiding malicious code in fake Python packages on PyPI, which can take control of Telegram bot servers and give attackers access to sensitive info like chats, contacts, and environment variables. This backdoor can be activated with a simple command, allowing attackers to execute any Python code on the victim's machine.

TeamPCP Exploits Open-Source Trust Model in Mass Software Compromise
In a shocking display of cunning, TeamPCP has compromised over 1,000 software packages in under four months, injecting malicious code and redefining the notion of trust in open-source supply chains. This brazen attack has left a trail of destruction, with roughly 500 million weekly downloads affected across major registries like npm, PyPI, and GitHub.

PyPI Packages Poisoned in Hades Supply Chain Attack
Malicious actors have launched a supply-chain attack on the Python Package Index (PyPI), infecting 19 packages with 37 tainted versions that can download and execute a hidden JavaScript payload. This sneaky Hades campaign uses poisoned Python packages to spread its reach, putting developers and users at risk.

Shai-Hulud Malware Targets Python Packages, Exposes Developer Secrets
Hundreds of thousands of downloads of 19 popular Python packages were compromised in a massive supply-chain attack that stole developer secrets, courtesy of the Shai-Hulud malware. The malicious packages, disguised as useful bioinformatics and science tools, were actually designed to expose sensitive information.

TrapDoor Attack Spreads Credential-Stealing Malware Across Software Ecosystems
A massive supply chain attack, dubbed TrapDoor, has been spreading credential-stealing malware across three major language ecosystems, infecting over 34 malicious packages and 384 versions. The coordinated campaign began on May 22, 2026, and continues to target developers with cleverly named packages related to cryptocurrency, DeFi, Solana, and AI.

Developer Workstations Expose Software Supply Chain to Credential Theft
In a shocking 48-hour span, three separate cyber attacks hit major platforms, targeting sensitive secrets like API keys and cloud credentials from developer workstations and CI/CD pipelines. This new wave of supply chain threats reveals a disturbing trend: attackers are now focusing on harvesting credentials to compromise your entire software development process.

OpenAI Breach Exposes Code-Signing Certificates in TanStack Supply Chain Attack
OpenAI revealed that two employee devices were compromised in a recent TanStack supply-chain attack, but fortunately, customer data, production systems, and intellectual property remained safe. The breach was limited to a small set of internal source code repositories and credentials.

Malware Worm Targets npm, PyPi in Mass Supply-Chain Attack
A self-spreading worm, dubbed Mini Shai-Hulud, has infected over 170 packages with nearly 180 million weekly downloads, posing a massive threat to the software supply chain. This highly contagious malware has been open-sourced, making it easier for others to exploit and escalate the attack.

Malware Targets TanStack npm Packages in Supply Chain Attack
Malware attackers have infiltrated the TanStack npm packages, modifying 84 artifacts in a supply chain attack that could compromise major developer ecosystems. The malicious code, aimed at stealing credentials, was published across 42 packages on May 11, with some, like @tanstack/react-router, downloaded over 12 million times weekly.

PyPI Packages Deliver ZiChatBot Malware via Zulip APIs
Malicious Python packages on PyPI were found to be secretly delivering a new malware called ZiChatBot, which uses Zulip APIs to receive instructions. These seemingly harmless packages covertly dropped malicious components, highlighting the importance of vigilance when downloading code from public repositories.

OceanLotus Exploits PyPI to Deliver ZiChatBot Malware
Kaspersky's analysis uncovered a sneaky malware attack on PyPI, where OceanLotus hackers uploaded fake packages that looked like harmless libraries, tricking users into installing the ZiChatBot malware. The malicious packages, uploaded in July 2025, masqueraded as legitimate tools like uuid32-utils, colorinal, and termncolor.

Malicious PyTorch Lightning Package Exploits Supply Chain to Steal Credentials
A malicious version of the popular PyTorch Lightning package, downloaded over 11 million times, was found to contain a stealthy backdoor that steals credentials by silently executing a heavily obfuscated JavaScript payload. The compromised package, version 2.6.3, triggers the malicious routine automatically when imported, putting users at risk.

PyTorch Lightning Targeted in PyPI Supply Chain Credential Heist
Malicious actors have struck PyTorch Lightning with a supply chain attack, publishing two tainted package versions that automatically steal credentials when imported. The attack involves a sneaky _runtime directory with a downloader and obfuscated JavaScript payload.

PyPI Package elementary-data Compromised to Steal Developer Data
A malicious release of the popular elementary-data package on PyPI, which has over 1.1 million monthly downloads, allowed an attacker to steal developer data through a sneaky backdoor. This widely-used open-source tool for data observability in dbt pipelines became a prime target for the secrets-stealing campaign.

Supply-Chain Attacks Target Software Libraries
Supply-chain attacks are now using automation tools to spread malware at alarming speed, with recent incidents showing malicious code can go live in mere hours and be merged into projects in just minutes. This sinister trend highlights the dark side of modern software development's emphasis on speed and automation.

North Korean Hackers Expand Malicious Package Reach Across Multiple Coding Ecosystems
Beware of the Trojan horse in your code: North Korean hackers have quietly infiltrated multiple package ecosystems, publishing around 1,700 malicious packages that masquerade as legitimate developer tools but act as malware loaders. This sneaky campaign, linked to the Contagious Interview group, puts developers and organizations relying on shared code on high alert.

PyPI Breach: TeamPCP's Alarming Software Supply Chain Attack Uncovered
A shocking new software supply chain attack has been uncovered, putting developers and users on high alert: a malicious package on PyPI, disguised as a legitimate tool, has been delivering credential-stealing malware. Can you trust the software you download?

Malicious PyPI Packages Spread Devastating Malware
Malicious actors have struck again, this time infiltrating the Python Package Index (PyPI) with tainted versions of popular packages Telnyx and LiteLLM, putting developers' sensitive credentials at risk. Can we trust the software supply chain when even seemingly secure systems can be breached?

Legacy Python Bootstrap Scripts: Stunning PyPI Threat
Legacy zcbuildout scripts left in projects can become silent attack vectors—if a referenced domain lapses and an attacker reclaims it, builds can pull and execute malicious code that reaches PyPI. ReversingLabs’ findings show how a tiny oversight in old bootstrap helpers can enable wide supply‑chain compromise, so it’s time to find, update, or remove those scripts.

Vulnerable Rust crate: Stunning critical uv Python flaw
async-tar, a tiny Rust crate, unexpectedly sparked a chain reaction when a flaw in a forked copy rippled into fast uv, showing how fragile ecosystems built on forks can be; one fork is patched, but the most widely downloaded release still sits unpatched.

Discord webhooks: Powerful but Risky Supply-Chain Threat
Imagine a trusted package quietly sending your API keys to a Discord channel — researchers found npm, PyPI, and RubyGems libraries doing exactly that by abusing Discord webhooks as a simple command-and-control. Protect your projects now: audit and pin dependencies, lock down secrets, and add egress controls before convenience becomes the next supply-chain disaster.

phishing campaign: Risky PyPI Scam — Must-Read Alert
Got an email asking you to verify your PyPI credentials? Change your password and enable MFA right away — attackers are running a convincing fake PyPI site to harvest logins and could use stolen accounts to push malicious packages or compromise your supply chain.