ClickCease PyPI Malicious Packages with Thousands of Downloads

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

PyPI Malicious Packages with Thousands of Downloads Targeting Python Developers

Rohan Timalsina

November 27, 2023 - TuxCare expert team

For the past six months, an unidentified threat actor has been slipping malicious packages into the Python Package Index (PyPI), a repository for Python software. The aim? To unleash malware capable of sneaking into your system, stealing sensitive data, and even nabbing your hard-earned cryptocurrency.

According to a recent report by Checkmars, these 27 packages disguised as genuine Python libraries, have been downloaded thousands of times. Most of the downloads came from the United States (41.58 %), Germany, Japan, UK, France, China (12.22%), Hong Kong, Russia, Ireland, and Singapore.


PyPI Malicious Packages: Attack Details


What makes this attack stand out is its use of steganography. Steganography is the practice of hiding information within another ordinary file to avoid detection. In this case, the attackers cleverly hid a malicious payload within an innocent-looking image file, making the attack harder to detect. The software supply chain security firm pointed out that this tactic significantly increased the stealthiness of the attack.

Some of the misleading packages include pyioler, pystallerer, pystob, pyowler, and pyhuluh. Their counterparts legitimate Python packages are pyinstaller, pysolr, pyston, prowler, and pyhull respectively. The goal of this attack was to create the likelihood of developers unintentionally downloading these harmful packages. The download of malicious packages has reached over four thousands.

The trick used in these packages is the script, which includes references to other malicious packages like pystob and pywool. These, in turn, use a Visual Basic Script (VBScript) to download and execute a file named “Runtime.exe”, establishing a persistent presence to the victim’s system.

Hidden within the binary file is a compiled program capable of extracting information from web browsers, cryptocurrency wallets, and various applications.

Checkmarx also noted an alternate attack chain, where the attackers concealed the executable code within a PNG image (“uwu.png”). This image is decoded and run to extract the public IP address and the universally unique identifier (UUID) of the affected system.

Packages like Pystob and Pywool posed as tools for API management, but their real agenda was to exfiltrate data to a Discord webhook. Additionally, they attempted to maintain persistence by placing the VBS file in the Windows startup folder.




In a digital landscape filled with threats, it’s crucial for developers and users to stay vigilant and identify PyPI malicious packages. Given the increasing risks, the U.S. government has issued new guidance this month, urging developers and suppliers to prioritize and raise awareness about software security. The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) recommend supply chain risk assessments for buying decisions to avoid falling victim to these malicious software supply chain incidents.


The sources for this article include a story from Checkmarx and TheHackerNews.

PyPI Malicious Packages with Thousands of Downloads
Article Name
PyPI Malicious Packages with Thousands of Downloads
Discover the alarming threat of 27 PyPI malicious packages targeting Python developers. Uncover the stealthy tactics and the potential risks.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter