Cybersecurity researchers have discovered two malicious packages in the Python Package Index (PyPI) repository that masqueraded as spellchecking utilities but contained a sophisticated remote access trojan (RAT) with cryptocurrency-stealing capabilities. The packages were downloaded over 1,000 times before removal.
Malicious packages
| Package Name | Downloads | Upload Date | Status |
|---|---|---|---|
| spellcheckerpy | ~500 | January 20, 2026 | Removed |
| spellcheckpy | ~500 | January 21, 2026 | Removed |
Both packages claimed to be from the legitimate author of the pyspellchecker library, exploiting developer trust in the popular spelling correction tool.
Detection
Aikido Security’s malware detection pipeline flagged the packages on January 20-21, 2026. Analysis revealed heavily obfuscated code designed to evade static scanners and deliver a RAT payload.
Attack chain
Stage 1: Installation and trigger
When a developer installs the package and imports the SpellChecker class:
from spellchecker import SpellChecker
checker = SpellChecker() # RAT executes hereThe instantiation triggers the malicious payload—no explicit malicious function call required.
Stage 2: Obfuscation bypass
Instead of using obvious exec() calls that static scanners flag, the malware:
- Reconstructs the
execstring from hexadecimal at runtime - Decodes embedded payload
- Executes in-memory
Stage 3: Downloader execution
The stage-1 payload is a downloader that:
- Fetches the real payload from
https://updatenet[.]work/settings/history.php - Spawns the RAT in a detached process
- Continues even if the original Python script exits
Stage 4: Fileless persistence
The RAT operates entirely in memory:
- No files written to disk
- Silent execution
- Detached from parent process
- Survives script termination
RAT capabilities
| Capability | Description |
|---|---|
| Remote command execution | Execute arbitrary commands on victim system |
| Cryptocurrency wallet theft | Extract wallets, seed phrases, private keys |
| Browser data exfiltration | Credentials, history, cookies, autofill |
| File exfiltration | Upload files to attacker infrastructure |
| Screen capture | Screenshot victim’s display |
| Persistence | Maintain access across reboots |
Targeted data
| Category | Targets |
|---|---|
| Crypto wallets | MetaMask, Phantom, Exodus, Coinbase Wallet, Trust Wallet |
| Browsers | Chrome, Brave, Edge, Firefox, Opera |
| Password managers | Browser-stored credentials |
| 2FA codes | Authenticator backup codes |
Threat actor connection
November 2025 campaign
In November 2025, HelixGuard documented a similar attack using a package named “spellcheckers” (different name, same target):
| Attribute | November 2025 | January 2026 |
|---|---|---|
| Package name | spellcheckers | spellcheckerpy, spellcheckpy |
| RAT structure | XOR encryption, command ID 1001, exec() | Identical structure |
| C2 domain | dothebest[.]store | updatenet[.]work |
| Social engineering | Fake recruiter targeting crypto holders | Direct PyPI targeting |
Fake recruiter campaign
The November 2025 campaign analysis revealed additional context:
| Element | Details |
|---|---|
| Distribution method | Fake recruiter social engineering |
| Targets | Cryptocurrency holders via social media |
| Lure | Fake job offers from “recruiters” |
| Infection | Victims directed to install malicious package |
| Goal | Cryptocurrency theft |
Assessment: Same threat actor, different infrastructure. The consistent methodology—targeting spellchecker libraries to reach developers, using multi-layer encryption, stealing cryptocurrency—indicates an ongoing campaign.
Related supply chain campaigns (2025)
Zscaler ThreatLabz findings
| Date | Package | Payload |
|---|---|---|
| July 2025 | termncolor | SilentSync RAT |
| August 2025 | sisaws | SilentSync RAT |
| August 2025 | secmeasure | SilentSync RAT |
These packages delivered a RAT dubbed SilentSync, retrieved from Pastebin—a similar pattern to the spellchecker campaigns.
Q2 2025 statistics (FortiGuard Labs)
| Threat type | Prevalence |
|---|---|
| Credential stealers | High |
| Cryptocurrency drainers | Increasing |
| Cryptojackers | Moderate |
| Clippers | Emerging |
Socket.dev identified these as the main threat types targeting the cryptocurrency and blockchain development ecosystem.
Technical indicators
Network IOCs
updatenet[.]work (C2 server - January 2026)
dothebest[.]store (C2 server - November 2025)
/settings/history.php (payload endpoint)
/refresh.php (RAT communication endpoint)Behavioral indicators
- Python process making unexpected HTTPS connections
- Network traffic to unfamiliar domains after pip install
- Cryptocurrency wallet file access from Python process
- Browser credential store access
Detection opportunities
| Stage | Detection Method |
|---|---|
| Installation | Dependency scanning (Snyk, Dependabot, Socket) |
| Execution | EDR monitoring for Python child processes |
| C2 communication | Network monitoring for unknown domains |
| Data theft | DLP alerts on wallet/credential access |
PyPI security improvements
PyPI announced a significant security enhancement taking effect February 1, 2026:
“After 6 months of warnings, on February 1st, 2026, PyPI will begin rejecting newly uploaded wheels whose ZIP contents don’t match the included RECORD metadata file.”
| Change | Impact |
|---|---|
| ZIP/RECORD validation | Prevents some tampering techniques |
| Metadata integrity | Stronger package verification |
| Upload rejection | Invalid packages blocked |
| Effective date | February 1, 2026 |
While this doesn’t prevent all malicious packages, it closes one avenue for package manipulation.
Supply chain context
This incident reflects ongoing risks in open-source package ecosystems:
Why PyPI attacks work
| Factor | Risk |
|---|---|
| Open publishing | Anyone can publish with minimal vetting |
| Transitive dependencies | Malicious packages pulled in indirectly |
| Elevated privileges | Packages run with full system access |
| CI/CD automation | Automatic installation during builds |
| Developer trust | Assumption that packages are safe |
Attack frequency
Malicious package campaigns have increased across all major ecosystems:
| Ecosystem | Language | Trend |
|---|---|---|
| PyPI | Python | Increasing |
| npm | JavaScript | Increasing |
| RubyGems | Ruby | Moderate |
| NuGet | .NET | Emerging |
| Cargo | Rust | Emerging |
Recommendations
For developers
| Practice | Benefit |
|---|---|
| Verify package names | Catch typosquatting |
| Check publisher reputation | Identify suspicious accounts |
| Review package source | Spot obvious malware |
| Pin versions | Prevent unexpected updates |
| Use lockfiles | Ensure reproducible builds |
| Verify downloads | Check package popularity/history |
For organizations
| Control | Implementation |
|---|---|
| Private registries | Pre-approved packages only |
| Dependency scanning | Snyk, Dependabot, Socket, Mend |
| CI/CD monitoring | Alert on new dependencies |
| Network segmentation | Isolate build environments |
| Software composition analysis | Ongoing visibility |
| Egress filtering | Block unauthorized C2 communication |
If you installed these packages
- Remove immediately:
pip uninstall spellcheckerpy spellcheckpy - Scan for persistence: Check for unknown processes, scheduled tasks
- Rotate credentials: All passwords, API keys, crypto wallets
- Move crypto assets: Transfer to fresh wallets with new seed phrases
- Audit access: Review account activity for unauthorized access
- Report: Notify security team, consider incident response
- Check transitive dependencies: Verify other packages weren’t affected
Context
The “spellchecker” attack pattern demonstrates attacker sophistication in targeting developers. By impersonating legitimate, commonly-used packages, attackers achieve:
- Trust exploitation — Developers expect pyspellchecker to be safe
- Wide distribution — Popular package types get more installs
- High-value targets — Developers often have crypto holdings and access to production systems
The fileless execution and detached process technique makes detection difficult. Traditional antivirus may not flag activity that never touches disk.
Cryptocurrency targeting trend
| Factor | Attacker interest |
|---|---|
| Developer demographics | Higher crypto ownership |
| Production access | Keys and secrets available |
| Automation environments | CI/CD secrets exposed |
| Wallet files | Directly accessible |
| Browser credentials | Exchange logins |
Organizations should treat package installation as a security-critical operation, implementing the same controls applied to downloading and executing unknown software.