CyberSecurityBoard
Sponsor Register Login

Malicious NPM, PyPI Packages Stealing User Information

Check Point and Phylum are warning of recently identified NPM and PyPI packages designed to steal user information and download additional payloads. Taking advantage of the broad use of open source code in application development, malicious actors are increasingly relying on software supply chain attacks to infect both developers and users with malware. According to an October 2022 Sonatype report, the number of software supply chain attacks observed in 2022 was 633% higher compared to the previous year. Node.js and Python repositories are the preferred targets for malicious packages, mainly because code execution can be triggered during package installation, Check Point notes. In a new report, the cybersecurity firm says it has identified two malicious Python packages that fit this description. The first of them, Python-drgn, was uploaded to PyPI on August 8, 2022. Relying on typo-squatting, the package is meant to attract users who are looking for Drgn, a debugger with an emphasis on programmability. Py file, which automatically runs during package installation and which contains malware. The second malicious package is named bloxflip, typosquatting the Bloxflip. Py package, which is an API wrapper for bloxflip.com. The malicious code within bloxflip disables Windows Defender to prevent detection, then fetches an executable from a remote server, creates a subprocess, and executes the malicious payload. Phylum, on the other hand, says it has discovered over 100 malicious NPM packages that contain the payload in package. Json's postinstall script, which is executed during package installation. The malicious script harvests various types of information from the infected system and sends it to an attacker-controlled server. The software supply chain security firm also observed the package authors changing the remote server address over the course of 24 hours. "Code package supply chain attacks, in which attackers publish malicious packages or inject malicious code into legitimate code packages distributed through online code repositories and package managers, have increased significantly in recent years. These attacks can have serious consequences, including data compromise, operational disruption, and reputation damage," Check Point concludes.

This Cyber News was published on www.securityweek.com. Publication date: Thu, 02 Feb 2023 12:17:02 +0000


Cyber News related to Malicious NPM, PyPI Packages Stealing User Information

Hackers target Python devs in phishing attacks using fake PyPI site - Python developers and PyPI users who have received these phishing emails are advised not to click the embedded links and to delete the email immediately. In February, the Python Software Foundation introduced 'Project Archival,' a new system designed ...
2 months ago Bleepingcomputer.com
Malicious PyPI packages targeting highly specific MacOS machines - As part of our software package supply chain security efforts, we continuously scan for malware in newly released PyPI and NPM packages. In this post, we describe a particularly interesting cluster of malicious packages that we've identified. In late ...
1 year ago Securitylabs.datadoghq.com
3 PYPI Packages Caught Spreading Malware - Recent reports have highlighted the malicious spreading of malware via 3 specific Python Package Index (PyPI) packages. These 3 packages were identified and reported by Sonatype, a software supply chain security firm. ...
2 years ago Securityaffairs.com
116 Malicious PyPI Packages Downloaded Over 10,000 Times - A cluster of malicious Python projects has been identified in PyPI, the official Python PyPI package repository, which targets both Windows and Linux systems and often deploys a custom backdoor. In certain instances, the ultimate payload consists of ...
1 year ago Cybersecuritynews.com
'everything' blocks devs from removing their own npm packages - Since these 3,000+ packages manage to include every single npm package on the npmjs.com registry as their dependency, npm package authors who have ever published to the npm registry would now be unable to remove their packages at will, because of ...
1 year ago Bleepingcomputer.com
PyPI Warns of New Phishing Attack Targeting Developers With Fake PyPI site - This sophisticated attack targets developers who have published packages on the official repository, leveraging their trust in the PyPI ecosystem to harvest login credentials through a carefully crafted fake website that mimics the legitimate ...
2 months ago Cybersecuritynews.com
Malicious NPM, PyPI Packages Stealing User Information - Check Point and Phylum are warning of recently identified NPM and PyPI packages designed to steal user information and download additional payloads. Taking advantage of the broad use of open source code in application development, malicious actors ...
2 years ago Securityweek.com
DPython's Poisoned Package: Another 'Blank Grabber' Malware in PyPI - Python Package Index is a platform that offers an extensive range of packages to simplify and enhance the development process. Malicious actors regularly upload phishing packages in the platform's repository aimed at delivering malware to steal the ...
1 year ago Imperva.com
Malicious npm and PyPI Pose as Developer Tools to Steal Login Credentials - The researchers noted that the packages employ various exfiltration methods to transmit stolen credentials to threat actors, with react-native-scrollpageviewtest using Google Analytics as its exfiltration channel, while the PyPI packages leverage ...
5 months ago Cybersecuritynews.com
5000+ Malicious Packages Found In The Wild To Compromise Windows Systems - These packages, detected from November 2024 onward, employ sophisticated techniques to evade traditional security measures while executing harmful actions that can lead to data theft, unauthorized access, and complete system compromise. Similarly, ...
6 months ago Cybersecuritynews.com
New Typosquatting and Repojacking Tactics Uncovered on PyPI - Security researchers have identified a concerning uptick in malicious activities infiltrating open-source platforms and code repositories. This trend encompasses a wide array of malicious activities, including hosting command-and-control ...
1 year ago Infosecurity-magazine.com
Cybercriminals pose as "helpful" Stack Overflow users to push malware - Cybercriminals are abusing Stack Overflow in an interesting approach to spreading malware-answering users' questions by promoting a malicious PyPi package that installs Windows information-stealing malware. Sonatype researcher Ax Sharma discovered ...
1 year ago Bleepingcomputer.com
Three New Malicious PyPI Packages Deploy CoinMiner on Linux Devices - Affected platforms: LinuxAffected parties: Linux users that have these malicious packages installedImpact: Latency in device performanceSeverity level: High. On December 5th, 2023, FortiGuard's AI-driven OSS malware detection system identified three ...
1 year ago Feeds.fortinet.com
npm 'accidentally' removes Stylus package, breaks builds and pipelines - Panya (the former maintainer of Stylus) used their own account to release a package containing malicious code (for security research purposes? I am unsure), but did not release a new version of Stylus containing malicious code. BleepingComputer ...
2 months ago Bleepingcomputer.com
Lazarus Hackers Weaponized 6 npm Packages To Steal Logins - The hackers successfully compromised six popular npm packages, injecting malicious code designed to harvest login credentials from thousands of developers and organizations worldwide. A sophisticated supply chain attack orchestrated by the notorious ...
6 months ago Cybersecuritynews.com Lazarus Group
New Supply Chain Attack Leveraging Python Package Index Targeting Wacatac Trojan - A new supply chain attack has recently been detected targeting Python Package Index (PyPI) users with the Wacatac Trojan. This attack is seen as the latest in a series of advanced persistent threats (APT) targeting the escalating use of Python in ...
2 years ago Securityweek.com
Malicious PyPI packages abuse Gmail, websockets to hijack systems - Using a 'Client' class, the malware forwards traffic from the remote host to the local system through the tunnel, allowing internal admin panel and API access, file transfer, email exfiltration, shell command execution, credentials harvesting, and ...
5 months ago Bleepingcomputer.com Snatch
Hackers breach Toptal GitHub account, publish malicious npm packages - In the days that followed, the attackers modified the source code of Picasso on GitHub to include malware and published 10 malicious packages on NPM as Toptal, making them appear as legitimate updates. According to code security ...
2 months ago Bleepingcomputer.com
New npm attack poisons local packages with backdoors - Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor. In general, when downloading packages from package indexes like PyPI and ...
6 months ago Bleepingcomputer.com
Lazarus Adds New Malicious npm Packages with Hexadecimal Encoding - These packages, part of the broader Contagious Interview operation, are designed to evade automated detection systems and manual code audits, marking a significant evolution in the group’s approach to cyber espionage and financial theft. The ...
6 months ago Cybersecuritynews.com Lazarus Group
New NPM Attack Infecting Local Packages With Cleverly Hidden Malicious Payload - These packages act as downloaders, injecting malicious code into locally installed versions of the legitimate ethers package, ultimately creating a reverse shell on the victim’s machine. The threat actor may have been attempting to ...
6 months ago Cybersecuritynews.com
Malicious npm Packages Attacking Linux Developers to Install SSH Backdoors - Discovered in early 2025, several malicious npm packages have been masquerading as legitimate Telegram bot libraries to deliver SSH backdoors and exfiltrate sensitive data from unsuspecting developers. The malicious variants—node-telegram-utils, ...
5 months ago Cybersecuritynews.com
Malicious NPM Packages Targeting PayPal Users to Steal Sensitive Data - FortiGuard Labs, Fortinet’s AI-driven threat intelligence arm, has uncovered a series of malicious NPM packages designed to steal sensitive information from developers and target PayPal users. Detected between March 5 and March 14, 2025, these ...
5 months ago Cybersecuritynews.com
Trouble in Da Hood: Malicious Actors Use Infected PyPI Packages to Target Roblox Cheaters | Imperva - In recent research on compromised and malicious PyPI packages, Imperva Threat Research has identified an ongoing malware campaign specifically targeting Roblox hackers. Over time, vast communities have assembled on various platforms such as Reddit, ...
1 year ago Imperva.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)