Skip to main content

Tag: python package index

3 articles

Laptop screen displays PyPI webpage with developer workspace and team chat app in background.

PyPI Packages Deliver ZiChatBot Malware via Zulip APIs

Malicious Python packages on PyPI were found to be secretly delivering a new malware called ZiChatBot, which uses Zulip APIs to receive instructions. These seemingly harmless packages covertly dropped malicious components, highlighting the importance of vigilance when downloading code from public repositories.

Analyst 207
Laptop workstation with PyTorch Lightning package terminal open, displaying code on a neutral background.

Malicious PyTorch Lightning Package Exploits Supply Chain to Steal Credentials

A malicious version of the popular PyTorch Lightning package, downloaded over 11 million times, was found to contain a stealthy backdoor that steals credentials by silently executing a heavily obfuscated JavaScript payload. The compromised package, version 2.6.3, triggers the malicious routine automatically when imported, putting users at risk.

Analyst 207
Snake slithers through crowded, dimly lit library, symbolizing malicious code infiltration.

Malicious Code Infiltrates Python Package Index

A recent supply-chain attack on a popular Python package has raised a critical question: how much trust do you really have in the software that quietly powers your work? A malicious .pth file hidden in the litellm package version 1.82.8 can automatically execute malicious code on every Python startup.

Analyst 207