ReversingLabs and Sonatype have recently uncovered a malicious campaign on the Python Package Index (PyPI) involving packages that mimic popular open source Python tools [2]. These attackers have gone to great lengths to deceive developers by creating corresponding GitHub projects that do not contain the malicious code.


One specific package identified in this campaign is VMConnect [2], which was published on July 28th by a developer named Hushki Manager [2]. Despite appearing trustworthy with a legitimate description and corresponding functionality [2], the malicious code is not present in the source code and can only be detected through scanning the build artifacts [2].

ReversingLabs’ Titanium Platform detected the suspicious package during routine scanning and found that it contacted a command and control server to download additional malicious code [1]. Although the malicious packages were promptly removed from PyPI [1], the attackers quickly replaced them [1], indicating an ongoing campaign [1] [5]. ReversingLabs has published indicators of compromise (IOCs) in the hope that others may connect them to known attacks and shed light on the campaign’s origins and intent [1].

This incident highlights the importance of having methods in place to detect suspicious content in release packages, in order to prevent falling victim to supply chain attacks [2]. Unlike other supply chain attacks [2] [3], these packages imitate the functionality of the modules they are replicating and create corresponding GitHub projects that omit the malicious code found in the PyPI release [3].

The package VMConnect [3], in particular, has been identified as suspicious due to its behavior [3], including the ability to create processes [3], decode data using Base64 [3], and contact a command and control server [1] [3]. It was published by a throw-away PyPI account and includes a legitimate-looking description and a corresponding GitHub repository that appears trustworthy [3]. This tactic of using GitHub repositories to create the illusion of a legitimate open source package is becoming more common [3], as it helps bypass source code reviews [3]. Development and application security teams need to be aware that release packages can contain malicious functionality that is not present in open source repositories and cannot be detected through source code scanning alone.

Furthermore, the PyPI has taken action to remove thousands of malicious libraries following the discovery of malicious code on the platform. This incident [6], reported by the Slovak National Security Office and gaining attention from various sources [6], is reminiscent of a previous controversy involving a startup called Kite [6], which inserted adware/spyware into plugins [6]. It is evident that the Python packaging system still has room for improvement. Sonatype researchers also discovered two other packages, “ethter” and “quantiumbase,” with identical structures and techniques [4], as part of a campaign they named “PaperPin.” They have warned VMware vSphere users to exercise caution when obtaining the legitimate Python connector module.


The discovery of this malicious campaign on the PyPI highlights the need for development and application security teams to be vigilant and have effective methods in place to detect suspicious content in release packages. It is crucial to prevent falling victim to supply chain attacks that imitate popular open source tools and create corresponding GitHub projects to deceive developers. The incident also emphasizes the ongoing efforts needed to improve the Python packaging system and the importance of sharing indicators of compromise to shed light on the origins and intent of such campaigns.