Hackers Hijack Python Packages Again: Dangerous Malware Spreads Through Popular Repositories

Hackers have once again hijacked Python packages to spread dangerous malware, targeting Python developers in various industries, particularly those involved in blockchain development. Recent reports have identified multiple incidents where malicious packages were uploaded to the Python Package Index (PyPI), masquerading as legitimate libraries. This technique aims to compromise developers’ systems, steal sensitive data, and potentially enable attacks on downstream users or organizations.

One of the key threats identified in this wave of attacks is a malware called PondRAT. This malware, believed to be a lighter variant of POOLRAT—a macOS backdoor linked to the notorious Lazarus Group—was spread through malicious Python packages uploaded to PyPI. The attack, associated with North Korean threat actors, used Python packages such as “real-ids” and “beautifultext” to target developers by embedding remote access tools capable of stealing information and executing commands on compromised systems. The malware has been identified to affect both Linux and macOS environments, using similar techniques to those observed in previous cyber campaigns involving Lazarus Group tools like AppleJeus (used for cryptocurrency theft) and 3CX supply chain attacks​(The Hacker News).

Another campaign leveraged a counterfeit Python package mirror, appearing as “files.pypihosted.org,” to distribute a modified version of the popular “colorama” library, which had been injected with malicious code. This mirror was used alongside stolen GitHub credentials, allowing attackers to commit changes to reputable repositories with verified commits, making it challenging to distinguish between legitimate and compromised code. The campaign impacted over 170,000 users, illustrating how deeply the attackers understand the vulnerabilities in the software supply chain​(InfoSec News).

Furthermore, Checkmarx researchers discovered a batch of malicious packages on PyPI, including “AtomicDecoderss” and “TrustDecoderss,” specifically designed to steal cryptocurrency wallet data such as private keys. These packages were disguised as tools for managing wallets like MetaMask, Trust Wallet, and Exodus. The malware included strategic obfuscation using dependencies to avoid detection and appeared harmless on the surface, which increased its likelihood of being downloaded and installed by unsuspecting users​ (TechRadar).

These attacks highlight the ongoing risks within the open-source ecosystem, particularly in repositories like PyPI that are heavily relied upon by the developer community. Vigilance is crucial for developers when sourcing software dependencies, as the misuse of seemingly legitimate packages has become a favored method for attackers looking to exploit the software supply chain.