New Typosquatting and Repojacking Tactics Uncovered on PyPI

Security researchers have identified a concerning uptick in malicious activities infiltrating open-source platforms and code repositories.
This trend encompasses a wide array of malicious activities, including hosting command-and-control infrastructure, storing stolen data and disseminating various forms of malware.
In a recent discovery, ReversingLabs reverse engineer Karlo Zanki uncovered two suspicious packages on the Python Package Index, named NP6HelperHttptest and NP6HelperHttper.
These packages were found to employ DLL sideloading, a technique malicious actors use to execute code discreetly and avoid detection by security monitoring tools.
Typosquatting and repojacking, also used in the deployment of these packages, are common tactics malicious actors employ to distribute look-alike packages, aiming to deceive developers into incorporating them into their applications.
The recent discovery of NP6HelperHttptest and NP6HelperHttper on PyPI exemplifies such tactics, exploiting similarities with legitimate NP6 packages - a marketing automation tool developed by Chapvision - to dupe unsuspecting users.
In this case, ReversingLabs discovered that the NP6 PyPI account wasn't officially associated with Chapvision; rather, it belonged to a Chapvision developer's personal account.
It remains uncertain whether the company was aware of the existence of the account, or of the NP6HelperHttp and NP6HelperConfig tools.
Upon notification of these packages by ReversingLabs, Chapvision confirmed that one of their employees had indeed published the helper tools.
Shortly thereafter, the packages were removed from PyPI. Further examination of the malicious packages revealed a sophisticated scheme involving executing malicious code hidden within setup.
These scripts facilitated the download and execution of both legitimate and malicious files, with the latter posing significant security risks.
ReversingLabs' research not only shed light on individual instances of malicious activity but also suggested a broader campaign involving multiple packages and sophisticated tactics, all relying on DLL sideloading.

This Cyber News was published on www.infosecurity-magazine.com. Publication date: Tue, 20 Feb 2024 17:45:27 +0000

Cyber News related to New Typosquatting and Repojacking Tactics Uncovered on PyPI

Hackers target Python devs in phishing attacks using fake PyPI site - Python developers and PyPI users who have received these phishing emails are advised not to click the embedded links and to delete the email immediately. In February, the Python Software Foundation introduced 'Project Archival,' a new system designed ...
5 months ago Bleepingcomputer.com

New Typosquatting and Repojacking Tactics Uncovered on PyPI - Security researchers have identified a concerning uptick in malicious activities infiltrating open-source platforms and code repositories. This trend encompasses a wide array of malicious activities, including hosting command-and-control ...
1 year ago Infosecurity-magazine.com

Typosquatting Wave Shows No Signs of Abating - One of the most enduring of these exploits is the practice of typosquatting - i.e., using look-alike websites and domain names to lend legitimacy to social engineering efforts. These look-alikes prey on users' inattention to verifying legitimate ...
1 year ago Darkreading.com

PyPI Warns of New Phishing Attack Targeting Developers With Fake PyPI site - This sophisticated attack targets developers who have published packages on the official repository, leveraging their trust in the PyPI ecosystem to harvest login credentials through a carefully crafted fake website that mimics the legitimate ...
5 months ago Cybersecuritynews.com

116 Malicious PyPI Packages Downloaded Over 10,000 Times - A cluster of malicious Python projects has been identified in PyPI, the official Python PyPI package repository, which targets both Windows and Linux systems and often deploys a custom backdoor. In certain instances, the ultimate payload consists of ...
2 years ago Cybersecuritynews.com

DPython's Poisoned Package: Another 'Blank Grabber' Malware in PyPI - Python Package Index is a platform that offers an extensive range of packages to simplify and enhance the development process. Malicious actors regularly upload phishing packages in the platform's repository aimed at delivering malware to steal the ...
2 years ago Imperva.com

Cybercriminals pose as "helpful" Stack Overflow users to push malware - Cybercriminals are abusing Stack Overflow in an interesting approach to spreading malware-answering users' questions by promoting a malicious PyPi package that installs Windows information-stealing malware. Sonatype researcher Ax Sharma discovered ...
1 year ago Bleepingcomputer.com

3 PYPI Packages Caught Spreading Malware - Recent reports have highlighted the malicious spreading of malware via 3 specific Python Package Index (PyPI) packages. These 3 packages were identified and reported by Sonatype, a software supply chain security firm. ...
2 years ago Securityaffairs.com

PyPi package backdoors Macs using the Sliver pen-testing suite - A new package mimicked the popular 'requests' library on the Python Package Index to target macOS devices with the Sliver C2 adversary framework, used for gaining initial access to corporate networks. Discovered by Phylum, the campaign involves ...
1 year ago Bleepingcomputer.com

From Social Engineering to DMARC Abuse: TA427's Art of Information Gathering - Key takeaways  TA427 regularly engages in benign conversation starter campaigns to establish contact with targets for long-term exchanges of information on topics of strategic importance to the North Korean regime. In addition to using specially ...
1 year ago Proofpoint.com

PyPI urges users to reset credentials after new phishing attacks - PyPI, the Python Package Index, has issued a critical security advisory urging all users to reset their credentials following a surge in sophisticated phishing attacks targeting its platform. These attacks have been designed to steal user credentials ...
3 months ago Bleepingcomputer.com

PyPI invalidates tokens stolen in GhostAction supply chain attack - PyPI, the Python Package Index, has taken decisive action to invalidate tokens that were compromised during the GhostAction supply chain attack. This incident highlights the increasing risks associated with supply chain attacks in the software ...
3 months ago Bleepingcomputer.com GhostAction

PyPI Bans Inbox.ru Domains Following Massive 1,500+ Fake Project Uploads - The attack, which began on June 9, 2025, involved the creation of more than 250 user accounts that systematically flooded the repository with empty packages designed to exploit package confusion vulnerabilities. The campaign demonstrated a methodical ...
5 months ago Cybersecuritynews.com

Malicious NPM, PyPI Packages Stealing User Information - Check Point and Phylum are warning of recently identified NPM and PyPI packages designed to steal user information and download additional payloads. Taking advantage of the broad use of open source code in application development, malicious actors ...
2 years ago Securityweek.com

Carding tool abusing WooCommerce API downloaded 34K times on PyPI - "This entire workflow—from harvesting product IDs and checkout tokens, to sending stolen card data to a malicious third party, and simulating a full checkout flow—is highly targeted and methodical," says Socket. A newly discovered ...
9 months ago Bleepingcomputer.com

New PyPI Malware Poses as Crypto Wallet Tools to Steal Private Keys - The cybersecurity researchers at Checkmarx uncovered a series of new supply chain attacks that exploited the Python Package Index (PyPI) in September 2024 using malicious packages to target cryptocurrency wallets. These packages identified as ...
1 year ago Hackread.com

New Supply Chain Attack Leveraging Python Package Index Targeting Wacatac Trojan - A new supply chain attack has recently been detected targeting Python Package Index (PyPI) users with the Wacatac Trojan. This attack is seen as the latest in a series of advanced persistent threats (APT) targeting the escalating use of Python in ...
2 years ago Securityweek.com

East Texas hospital network can't receive ambulances because of potential cybersecurity incident - GetTime();if(!(u<=a&&d<=l throw new RangeError("Invalid interval");return r.inclusive?u<=l&&d<=a:ut||isNaN(t. Step):1;if(s<1||isNaN(s throw new RangeError("`options. Step):1;if(l<1||isNaN(l throw new RangeError("`options. GetTime()<=n throw new ...
2 years ago Cnn.com

Malicious PyPI packages targeting highly specific MacOS machines - As part of our software package supply chain security efforts, we continuously scan for malware in newly released PyPI and NPM packages. In this post, we describe a particularly interesting cluster of malicious packages that we've identified. In late ...
1 year ago Securitylabs.datadoghq.com

North Korean hackers target open-source repositories in new espionage campaign | The Record from Recorded Future News - North Korean state-backed hackers have planted malicious code in open-source software repositories as part of an ongoing campaign that has already put tens of thousands of developers at risk of surveillance and data theft, according to new research. ...
5 months ago Therecord.media

Malicious npm and PyPI Pose as Developer Tools to Steal Login Credentials - The researchers noted that the packages employ various exfiltration methods to transmit stolen credentials to threat actors, with react-native-scrollpageviewtest using Google Analytics as its exfiltration channel, while the PyPI packages leverage ...
8 months ago Cybersecuritynews.com

Attackers Finding Novel Ways to Abuse GitHub: ReversingLabs - Threat actors are finding new ways to take advantage of GitHub in hopes of tricking developers into putting malicious code into their software and sending to users downstream, according to researchers with ReversingLabs. Code repositories like GitHub ...
2 years ago Securityboulevard.com

New York's cyber chief on keeping cities and states safe from cyberattacks | The Record from Recorded Future News - And so we think that that'll continue to evolve the security posture of New York State in a way that first and foremost provides the public good, which is, if a government service is not secure, it can't be considered reliable. We're ...
9 months ago Therecord.media