Developers beware: These rogue Python packages hide a nasty surprise

Binary code in red lettering displayed on a computer screen denoting a cyber attack or malware infection.
(Image credit: Getty Images)

Python developers working on AI, machine learning, and crypto projects should be careful about which open source packages they chose, after a security company identified a long-running campaign featuring malicious packages uploaded to the Python Package Index (PyPI).

The PyPI is a repository of open source software for the Python programming language which allows developers to find and install software created and shared by others in the community. Its acceptable use policy bans the use of the repository “as a means to deliver malicious executables or as attack infrastructure”.

But security firm Sonatype said it discovered a malicious package hiding code that downloads and installs trojanized Windows binaries which are capable of surveillance, crypto-theft, and more. More worryingly, the security researchers have linked the malware to similar packages that are apparently part of a wider, months-long campaign.

The company’s malware detection engines recently flagged the newly published PyPI package called "pytoileur”. It had been downloaded over 200 times between being published the day before and before PyPI admins took it down.

The package describes itself as a "Cool package." in its metadata, with the HTML webpage description touting it as an "API Management tool written in Python."

The reference to "pystob" suggests the package attempting to typosquat users of legitimate packages like "Pyston”, Sonatype said.

Inside the package, Sonatype security researchers found a command which executed a base64-encoded payload which retrieves a malicious executable from an external server. The package further drops suspicious executables, modifies Windows registry settings, and deploys payloads that have previously been identified as spyware.

One of the binaries contained info-stealing and crypto-jacking capabilities. The binary attempts to exfiltrate user profiles and data saved in common web browsers such as Google Chrome, Brave, and Firefox and attempts to access local assets associated with fintech and crypto services like Binance, Coinbase, Exodus Wallet, PayPal, Payoneer, and PaySafeCard.

Sonatype also spotted attempts to get developers to download the rogue package. It said it had identified one newly-created Stack Overflow user account recommending the package to developers seeking debugging help, offering the malicious package as a solution to their issue even though it was unrelated to the questions posted by developers.

Researchers noted the package was likely part of a wider campaign. Last year a PyPI user -possibly the same one, the company said - had published several packages with the same shorthand metadata description "Cool package," and which employed much of the same tactics.

Many marketed themselves as an "API Management tool written in Python," but actually downloaded trojanized Windows binaries from URLs with similar structures.


It also found packages associated with this campaign which appeared to target developers building AI applications. These would, however, instead contain base64-encoded payload hidden using whitespaces — just like Pytoileur.

One of these PyPI packages makes the purpose of the campaign a little clearer by containing several "modules" written in plaintext Python code. With names like ‘Clipboard’ and ‘Webcam’, these are designed to attempt, among other things, clipboard hijacking, achieving persistence, deploying keyloggers, securing remote webcam access, and taking screenshots for the attacker.

Sonatype said it had identified more than two dozen suspicious packages likely connected to the campaign.

This campaign is not the only risk that is out there for unwary developers looking to download a useful package. Sonatype also spotted a separate 'crytic-compilers' PyPI package. This has a name similar to that of a well-known legitimate Python library which is used by cryptocurrency developers. This counterfeit managed 436 downloads before being taken offline.

Sneakily, it had been designed to match up with the version numbers of the real library which gets over 170,000 monthly downloads.

“Whereas the real library's latest version stops at 0.3.7, the counterfeit 'crytic-compilers' version picks up right here, and ends at 0.3.11 — giving off the impression that this is a newer version of the component,” Sonatype noted.

However, rather than help developers finish their project, the fake version would attempt to empty their crypto wallets.

In February, the Japanese Computer Emergency Response Team Coordination Center warned that North Korea’s hackers had uploaded malicious Python packages to PyPI with similar names to Python packages used for encryption algorithms in Python, hoping that developers would confuse their malicious code with the real thing.

Steve Ranger

Steve Ranger is an award-winning reporter and editor who writes about technology and business. Previously he was the editorial director at ZDNET and the editor of