CyberSecurity news

FlagThis - #PyPI

MalBot@malware.news //

Supply Chain Attack on Open Source Packages - Multiple open-source packages on npm were compromised with cryptomining malware via compromised maintainer accounts and stolen API tokens.
A supply chain attack has compromised open-source packages associated with rspack and vant, injecting cryptomining malware. The compromised packages had hundreds of thousands of weekly downloads, posing a significant threat to users of these projects. The affected version is 1.1.7. This event underscores the growing threat of supply chain attacks targeting open-source software projects. The vulnerability emphasizes the need for stronger security protocols in open-source ecosystems and for better vetting of dependencies.

Recommended read:
References :
  • malware.news: Open source in the crosshairs: New cryptomining hacks highlight key threat
  • The Hacker News: TheHackerNews article about Rspack npm packages compromised with crypto mining malware.
  • AAKL: Socket, from yesterday: Supply Chain Attack on Rspack npm Packages Injects Cryptojacking Malware More:
  • Security Risk Advisors: Supply Chain Attack on Rspack npm Packages Deploys Cryptojacking Malware
  • Blog (Main): ReversingLabs reports on cryptomining hacks in open source projects.
  • socket.dev: Open source in the crosshairs: New cryptomining hacks highlight key threat
  • www.bleepingcomputer.com: Three popular npm packages, @rspack/core, @rspack/cli, and Vant, were compromised through stolen npm account tokens, allowing threat actors to publish malicious versions that installed cryptominers.
  • Osint10x: Rspack npm Packages Compromised with Crypto Mining Malware in Supply Chain Attack
  • Osint10x: OSINT10X reports on cryptomining hacks on open source packages.
  • BleepingComputer: Three popular npm packages, @rspack/core, @rspack/cli, and Vant, were compromised through stolen npm account tokens, allowing threat actors to publish malicious versions that installed cryptominers.
  • Security Boulevard: OSS in the crosshairs: Cryptomining hacks highlight key new threat
  • 2024 Sonatype Blog: npm packages from Rspack, Vant compromised, blocked by Sonatype
  • www.npmjs.com: npm packages from Rspack, Vant compromised, blocked by Sonatype
  • malware.news: Supply chain attack compromises rspack, Vant packages with XMRig cryptominer
  • securityonline.info: Rspack Supply Chain Attack Injects Cryptojacking Malware Into npm Ecosystem
  • www.scworld.com: Supply chain attack compromises rspack, Vant packages with XMRig cryptominer
  • osint10x.com: Supply Chain Attack Hits Rspack, Vant npm Packages with Monero Miner
  • securityonline.info: Rspack Supply Chain Attack Injects Cryptojacking Malware Into npm Ecosystem
  • Osint10x: Supply Chain Attack Hits Rspack, Vant npm Packages with Monero Miner
  • hackread.com: Supply Chain Attack Hits Popular Rspack and Vant npm Packages with Monero Miner
@Talkback Resources //

WordPress Sites Vulnerable to Script Injection, PyPI Package Pirating Music - Millions of WordPress websites are vulnerable to script injection attacks due to a flaw in the Essential Addons for Elementor plugin, and a fake WordPress plugin is impacting SEO by injecting casino spam while a malicious PyPI package facilitates unauthorized music downloads from Deezer.
References: bsky.app , BleepingComputer , socket.dev ...
Millions of WordPress websites face potential script injection attacks due to a critical vulnerability found in the Essential Addons for Elementor plugin, which is installed on over 2 million sites. The flaw, identified as CVE-2025-24752 with a high severity score of 7.1, allows attackers to execute reflected cross-site scripting (XSS) attacks. This is achieved by exploiting insufficient input sanitization within the plugin's password reset functionality, specifically through malicious URL parameters.

A fake WordPress plugin has also been discovered injecting casino spam, impacting website SEO. In a separate incident, cybersecurity researchers have flagged a malicious Python library on the PyPI repository, named 'automslc', which facilitates over 100,000 unauthorized music downloads from Deezer. The package bypasses Deezer's API restrictions by embedding hardcoded credentials and communicating with an external command-and-control server, effectively turning user systems into a botnet for music piracy.

Recommended read:
References :
  • bsky.app: Socket Security has discovered a malicious PyPI package that created a botnet to pirate songs from music streaming service Deezer The package was named automslc and had been downloaded over 100,000 since its release in 2019
  • BleepingComputer: A malicious PyPi package named 'automslc'  has been downloaded over 100,000 times from the Python Package Index since 2019, abusing hard-coded credentials to pirate music from the Deezer streaming service.
  • Talkback Resources: Malicious PyPI Package "automslc" Enables 104K+ Unauthorized Deezer Music Downloads [app] [mal]
  • socket.dev: Malicious PyPI Package Exploits Deezer API for Coordinated Music Piracy
  • bsky.app: A malicious PyPi package named 'automslc'  has been downloaded over 100,000 times from the Python Package Index since 2019, abusing hard-coded credentials to pirate music from the Deezer streaming service.
  • The Hacker News: Malicious PyPI Package "automslc" Enables 104K+ Unauthorized Deezer Music Downloads
  • Sucuri Blog: Injecting malware via a fake WordPress plugin has been a common tactic of attackers for some time. This clever method is often used to bypass detection as attackers exploit the fact that plugins are not part of the core files of a WordPress site, making integrity checks more difficult.
  • gbhackers.com: A critical security vulnerability in the Essential Addons for Elementor plugin, installed on over 2 million WordPress websites, has exposed sites to script injection attacks via malicious URL parameters. The flaw, tracked as CVE-2025-24752 and scoring 7.1 (High) on the CVSS scale, allowed attackers to execute reflected cross-site scripting (XSS) attacks by exploiting insufficient input sanitization in the plugin’s password reset
  • bsky.app: Microsoft has removed two popular VSCode extensions, 'Material Theme - Free' and  'Material Theme Icons - Free,' from the Visual Studio Marketplace for allegedly containing malicious code.
  • gbhackers.com: VS Code Extension with 9 Million Installs Attacks Developers with Malicious Code
  • aboutdfir.com: VSCode extensions with 9 million installs pulled over security risks
  • bsky.app: Microsoft has removed two VSCode theme extensions from the VSCode Marketplace for containing malicious code.
  • Techzine Global: Visual Studio Code extensions with 9 million downloads removed for security risks
info@thehackernews.com (The Hacker News)@The Hacker News //

PyPI Introduces Project Archival to Enhance Supply Chain Security - PyPI introduces 'Project Archival,' allowing maintainers to mark projects as unmaintained, improving supply chain security and transparency in the Python ecosystem.
PyPI (Python Package Index) has launched a new 'Project Archival' feature, empowering maintainers to mark projects as archived. This signals to users that these projects are no longer actively maintained or expected to receive updates, including crucial security fixes. While archived projects remain installable, the new status alerts developers to the risk of relying on unmaintained packages, thereby promoting more responsible dependency management. Maintainers can archive projects via their settings page on PyPI, prompting a prominent notice to appear on the project's main page.

The new archival system seeks to improve supply chain security by explicitly communicating the maintenance status of projects. This builds on PyPI's existing "project quarantine" framework introduced in late 2024, which allows administrators to mark suspicious projects and prevent their installation. By enabling maintainers to clearly denote the state of archived projects, this feature enhances visibility into the lifecycle of packages. PyPI recommends that package developers release a final version before archiving, including a detailed update in the project description to provide additional context about its status.

The archival process is reversible, giving project owners the option to resume maintenance if desired. As part of broader efforts to enhance project lifecycle management within PyPI, further project status labels such as "deprecated" or "unmaintained" may be introduced, along with updates to PyPI's public APIs to allow for easier retrieval of project status information. The goal is to provide a more structured and informative ecosystem for Python developers.

Recommended read:
References :
  • gbhackers.com: This website contains the latest news about cybersecurity incidents and attacks.
  • The Hacker News: This website contains the latest news about cybersecurity incidents and attacks.
  • www.bleepingcomputer.com: This website contains the latest news about cybersecurity incidents and attacks.
  • gbhackers.com: The Python Package Index (PyPI) has introduced a new feature that allows maintainers to mark projects as archived, signaling that the project is no longer actively maintained or expected to receive updates.
  • BleepingComputer: The Python Package Index (PyPI) has announced the introduction of 'Project Archival,' a new system that allows publishers to archive their projects, indicating to the users that no updates are to be expected.
  • ciso2ciso.com: PyPI Introduces Archival Status to Alert Users About Unmaintained Python Packages – Source:thehackernews.com
  • cyberpress.org: PyPI Implements Project Archival to Block Exploits Malicious Package
  • Cyber Security News: PyPI Implements Project Archival to Block Exploits Malicious Package
  • blog.pypi.org: Trail of Bits: PyPI Now Supports Project Archival More: The Hacker News: PyPI Introduces Archival Status to Alert Users About Unmaintained Python Packages
  • ciso2ciso.com: PyPI Introduces Archival Status to Alert Users About Unmaintained Python Packages – Source:thehackernews.com
  • www.cysecurity.news: PyPI's New Archival Feature Addresses a Major Security Flaw
  • Help Net Security: DeepSeek’s popularity exploited to push malicious packages via PyPI
Samarth Mishra@cysecurity.news //

Malicious PyPI Package Steals Ethereum Private Keys - A new malicious PyPI package, 'set-utils', has been discovered exfiltrating Ethereum private keys through blockchain transactions, disguised as a simple utility for Python sets, mimicking widely used libraries and compromising Ethereum wallets.
A malicious Python package named 'set-utils' has been discovered on the Python Package Index (PyPI) repository. This package is designed to steal Ethereum private keys by exploiting commonly used account creation functions. Disguised as a utility for Python sets, the package mimics popular libraries, tricking developers into installing it. Since its appearance, 'set-utils' has been downloaded over 1,000 times, posing a significant threat to Ethereum users and developers, particularly those working with Python-based wallet management libraries. The Python security team has removed the malicious package from PyPI.

The 'set-utils' package operates by silently modifying standard Ethereum wallet creation functions. The private keys are exfiltrated within blockchain transactions via the Polygon RPC endpoint to resist traditional detection efforts. The stolen keys are encrypted using an attacker-controlled RSA public key before transmission, making detection challenging. Even if the package is uninstalled, any Ethereum wallets created while it was active remain compromised. To mitigate these risks, developers should employ regular dependency audits and automated scanning tools to detect malicious behaviors in third-party packages.

Recommended read:
References :
  • The Hacker News: Cybersecurity researchers have discovered a malicious Python package on the Python Package Index (PyPI) repository that's equipped to steal a victim's Ethereum private keys by impersonating popular libraries.
  • Developer Tech News: A malicious package designed to steal private keys for Ethereum wallets has been uncovered within the Python Package Index (PyPI). According to Socket, this package – named ‘set-utils’ – masquerades as a utility for Python sets and has been actively targeting developers.
  • Cyber Security News: PyPI Malware Exploits Developers to Hijack Ethereum Wallets
  • gbhackers.com: New PyPI Malware Targets Developers to Steal Ethereum Wallets
  • www.cysecurity.news: Researchers at have exposed a malicious PyPi (Python Package Index package), set-utils, that steals Ethereum private keys by abusing a “commonly used account creation functions.â€�
MalBot@malware.news //

Malicious PyPI Packages Steal Credentials - Multiple open-source packages on npm were compromised with cryptomining malware via compromised maintainer accounts and stolen API tokens.
Researchers have identified two malicious packages, zebo and cometlogger, on the Python Package Index (PyPI) repository. These packages are designed to steal sensitive information such as login credentials and social media accounts from compromised systems. The malicious code was actively downloaded by users. The incident highlights the increasing need for vigilance when using open-source software and the potential for supply chain attacks.

Recommended read:
References :
  • The Hacker News: The Hacker News reports on researchers uncovering PyPI packages stealing keystrokes and hijacking social accounts.
  • Techzine Global: Two malicious Python packages revealed by FortiGuard Labs
  • ciso2ciso.com: Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data – Source:hackread.com
  • ciso2ciso.com: Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data – Source:hackread.com
  • osint10x.com: Researchers Uncover PyPI Packages Stealing Keystrokes and Hijacking Social Accounts
  • securityonline.info: PyPI Poisoned: “Zebo” and “Cometlogger” Downloaded Hundreds of Times
@www.helpnetsecurity.com //

Malicious Packages Masquerading as DeepSeek on PyPI - Malicious Python packages mimicking DeepSeek were found on PyPI, designed to steal user data, highlighting software repositories' vulnerability to malicious uploads.
Two malicious Python packages, named "deepseeek" and "deepseekai", were recently discovered on the Python Package Index (PyPI). These packages were designed to mimic client libraries for the DeepSeek AI API. However, researchers found that they contained malicious code intended to collect user and computer data, as well as environment variables that could expose sensitive information like API keys and database credentials. The packages were quickly reported to and quarantined by PyPI administrators, but were downloaded 36 times in their brief availability.

These malicious packages used Pipedream, an integration platform, as a command-and-control server to receive stolen data. The incident highlights the increasing trend of attackers exploiting the popularity of AI tools like DeepSeek and the growing use of AI in creating malicious payloads. Researchers advise developers to exercise caution when using newly released packages, especially those posing as wrappers for popular services, and to verify the authenticity of software packages before installation.

Recommended read:
References :
  • www.helpnetsecurity.com: Help Net Security article on DeepSeek's popularity being exploited to push malicious packages via PyPI.
  • Help Net Security: DeepSeek’s popularity exploited to push malicious packages via PyPI

Blogs

Research Tools