PyPI suspends registrations amid malware attack

Ryan Daws is a senior editor at TechForge Media with over a decade of experience in crafting compelling narratives and making complex topics accessible. His articles and interviews with industry leaders have earned him recognition as a key influencer by organisations like Onalytica. Under his leadership, publications have been praised by analyst firms such as Forrester for their excellence and performance. Connect with him on X (@gadget_ry) or Mastodon (

The Python Package Index (PyPI) has suspended new project creation and user registration to mitigate an ongoing malware upload campaign. This move comes as security researchers at Checkmarx uncovered a campaign involving multiple malicious packages related to the same threat actors.

The attackers are targeting victims through typosquatting attacks, tricking users into installing malicious Python packages through their command-line interface. This multi-stage attack aims to steal cryptocurrency wallets, sensitive browser data such as cookies and extension data, and various credentials.

The malicious payload also employs a persistence mechanism to survive system reboots, ensuring continued access to compromised machines.

Malicious typosquatting packages

Between 27-28 March 2024, several malicious Python packages were uploaded to PyPI—likely using automation tools. These packages contained malicious code within their files, enabling automatic execution upon installation.

The files contained obfuscated and encrypted code using the Fernet encryption module. Upon installation, this code would execute, triggering the retrieval of an additional payload from a remote server. The payload URL was dynamically constructed by appending the package name as a query parameter.

Once decrypted, the retrieved payload revealed an extensive info-stealer designed to harvest sensitive information from the victim’s machine, including cryptocurrency wallets, browser data, and credentials.

In response to the malware campaign, PyPI has temporarily suspended new project creation and new user registration. This measure aims to mitigate the ongoing threat while the organisation investigates and addresses the issue.

You can find a full list of the packages uncovered by Checkmarx here.

(Photo by David Clode on Unsplash)

See also: GitHub’s code scanning autofix enters public beta

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo and AI & Big Data Expo.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: , , , , , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *