Security researchers have linked the attack to the same threat group previously behind fake recruiter-themed social engineering campaigns targeting victims’ cryptocurrency information earlier this year.
The malicious package impersonates the well-known “pyspellchecker” module, which has over 18 million downloads. Although the fake version has only been downloaded around 950 times, it poses a significant supply-chain threat to Python developers who unknowingly install malicious dependencies.
The attack uses a layered infection process to evade static analysis and detection. In the first stage, the malicious code hides in an encoded index file named ma_IN.index. Upon installation, the script executes code from this hidden file using Base64 decoding through the following function call:
text
decoded_index = base64.b64decode(encoded_index).decode(“utf-8”)
exec(decoded_index)
This triggers a remote request to the attacker’s command-and-control (C2) server at dothebest.store/allow/inform.php, which delivers another encoded payload. The decoded script then opens a new subprocess that downloads and executes the second-stage malware.
The second stage establishes persistent communication with dothebest.store/refresh.php, functioning as a Remote Access Trojan (RAT). It uses custom encryption and XOR obfuscation for network communications and employs Base64 encoding to bypass static detection tools.
Once active, the RAT can receive remote commands and execute arbitrary Python code via the exec() function, granting the attacker complete remote control of the compromised system.
Analysis of the C2 infrastructure shows substantial overlap with previous fake-recruiter campaigns tied to cryptocurrency theft. Those earlier campaigns tricked victims via social media messages that appeared to be job offers, eventually delivering malware that stole information.
In this latest variant, the attackers have expanded their attack surface by infiltrating the supply chain via PyPI, one of the most widely used Python repositories in the developer ecosystem.
The malicious component’s code employs XOR-based encryption routines, dual-layer payload decryption, disguised protocol formats, and exception suppression to hinder analysis and detection. This sophisticated approach allows the malware to function silently until the attacker issues remote commands.
Researchers recommend that developers verify dependencies carefully and avoid unverified packages with similarly named substitutes. Removing spellcheckers immediately, reviewing system processes, and resetting compromised API keys or cryptocurrency wallets is advised.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Cybercriminals Deploy Infected PyPI Package to Attack Users and Capture Crypto Details appeared first on Cyber Security News.
Disney Lorcana Trading Card Game by Ravensburger revealed a ton of exciting details for its…
Today’s deals are solid, and one huge highlight is that Amazon has brought back its…
Amazon is once again having its popular '3 for $33' movie sale full of some…
Don't miss this rare opportunity to score a well-regarded pair of noise canceling headphones for…
It's been a rough year for gaming hardware. Devices from across the industry are going…
LEGO Batman: Legacy of the Dark Knight is pulling from everything in the world of…
This website uses cookies.