Cybersecurity researchers have discovered two malicious packages in the Python Package Index (PyPI) repository that masqueraded as spellchecking utilities but contained remote access trojan (RAT) functionality.
Malicious Packages
| Package Name | Downloads | Status |
|---|---|---|
| spellcheckerpy | ~500 | Removed |
| spellcheckpy | ~500 | Removed |
The packages were collectively downloaded over 1,000 times before PyPI administrators removed them.
Attack Technique
Typosquatting: The malicious packages used names similar to legitimate spellchecking libraries, hoping developers would accidentally install them through:
- Typos when running
pip install - Copy-paste errors from documentation
- Confusion with legitimate packages
Payload: Once installed, the packages delivered a remote access trojan (RAT) enabling attackers to:
- Execute arbitrary commands
- Exfiltrate sensitive data
- Maintain persistent access
- Move laterally within networks
Supply Chain Risk
This incident highlights ongoing risks in open-source package ecosystems:
- Lack of vetting: Anyone can publish packages
- Transitive dependencies: Malicious packages can be pulled in indirectly
- Developer trust: Packages often run with full system privileges
- CI/CD exposure: Build pipelines automatically install dependencies
Protection Measures
For developers:
- Verify package names carefully before installation
- Check package popularity, maintenance status, and publisher reputation
- Use dependency scanning tools (Snyk, Dependabot, etc.)
- Pin specific versions in requirements files
- Review package source code when possible
For organizations:
- Implement private package registries with approved packages
- Scan dependencies in CI/CD pipelines
- Monitor for unexpected network connections from build environments
- Use software composition analysis (SCA) tools
Broader Context
Malicious package campaigns have increased significantly, targeting:
- PyPI (Python)
- npm (JavaScript)
- RubyGems (Ruby)
- NuGet (.NET)
Developers should treat package installation as a security-sensitive operation.