The official Python Package Index (PyPI) has recently been found to contain malicious Python projects that deploy customized backdoors with cyberespionage functionality [7]. These backdoors allow for file execution [7], file exfiltration [7], and even the ability to take screenshots of a user’s screen [7]. In addition, a cryptocurrency-stealing clipboard monitor called W4SP Stealer has been delivered instead of the backdoor in some cases. This article provides a detailed description of the incident and highlights the ongoing trend of targeting open-source repositories for crypto mining operations.


PyPI was found to have 116 malicious packages across 53 projects, which were downloaded over 10,000 times [7]. The main method of installation for potential victims is believed to be social engineering [7]. ESET researchers advise Python developers to thoroughly vet the code they download from PyPI and exercise caution when installing code from any public software repository [7]. While PyPI has taken down the malicious packages, the abuse of PyPI is expected to continue [7]. The operators behind this campaign used three different techniques [7], including embedding PowerShell code and implementing the backdoor in Python for Windows and Go for Linux [7]. Developers are urged to vet any third-party code they use before adding it to their projects [7].

In addition to the above, three new malicious packages [1] [2] [3] [4] [5] [6] [7] [8], modularseven [1] [2] [3] [4] [5] [6] [8], driftme [1] [2] [3] [4] [5] [6] [8], and catme [1] [2] [3] [4] [5] [6] [8], were discovered in PyPI [1] [3] [4] [5]. These packages [1] [2] [3] [4] [5] [6] [8], created by an author known as “sastra,” deployed a cryptocurrency miner on Linux devices. Similar to a previous campaign that used the package culturestreak [3] [4] [6], these packages received a total of 431 downloads before being taken down [4]. The malware was hidden in the file and deployed a CoinMiner executable on the affected devices [4]. The malicious code was hosted on a remote URL to make detection more difficult. The packages also inserted malicious commands into the ~/.bashrc file for persistence and reactivation on the user’s device [1] [3] [4] [5] [6]. The packages introduced an extra stage where their nefarious intent was concealed in a shell script [1], evading detection by security software [1]. The configuration file for these packages was hosted on the domain papiculo[. [1]]net, and the coin mining executables were hosted on a public GitLab repository [1]. This strategy allowed for prolonged and stealthy exploitation of the user’s device for the attacker’s benefit [1] [5] [6]. The packages used the nohup command to execute the ELF binary file in the background [5], ensuring the process continued even after exiting the session [5].


This incident highlights the ingenuity of attackers in hiding and executing their malicious payloads [8], using multi-stage deployment and obfuscation techniques [8]. It serves as a reminder of the importance of vigilant security practices and regular auditing of dependencies in software development [8]. The community and individuals must stay informed and proactive in identifying and mitigating such threats to protect systems and maintain trust in open-source resources [8].