{"id":44028,"date":"2021-11-19T16:39:23","date_gmt":"2021-11-19T16:39:23","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/32836\/Malware-Downloaded-From-PyPI-41-000-Times-Was-Surprisingly-Stealthy.html"},"modified":"2021-11-19T16:39:23","modified_gmt":"2021-11-19T16:39:23","slug":"malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\/","title":{"rendered":"Malware Downloaded From PyPI 41,000 Times Was Surprisingly Stealthy"},"content":{"rendered":"<figure class=\"intro-image intro-left\"> <img decoding=\"async\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/06\/code-800x450.jpeg\" alt=\"Malware downloaded from PyPI 41,000 times was surprisingly stealthy\"><figcaption class=\"caption\"><\/figcaption><\/figure>\n<aside id=\"social-left\" class=\"social-left\" aria-label=\"Read the comments or share this article\"> <a title=\"35 posters participating\" class=\"comment-count icon-comment-bubble-down\" href=\"https:\/\/arstechnica.com\/information-technology\/2021\/11\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\/?comments=1\"> <\/p>\n<h4 class=\"comment-count-before\">reader comments<\/h4>\n<p> <span class=\"comment-count-number\">46<\/span> <span class=\"visually-hidden\"> with 35 posters participating<\/span> <\/a> <\/p>\n<div class=\"share-links\">\n<h4>Share this story<\/h4>\n<\/p><\/div>\n<\/aside>\n<p> <!-- cache hit 91:single\/related:840778b7bd776e321dc456f9c1d34c59 --><!-- empty --><\/p>\n<p>PyPI\u2014the open source repository that both large and small organizations use to download code libraries\u2014was hosting 11 malicious packages that were downloaded more than 41,000 times in one of the latest reported such incidents threatening the software supply chain.<\/p>\n<p>JFrog, a security firm that monitors PyPI and other repositories for malware, said the packages are notable for the lengths its developers took to camouflage their malicious code from network detection. Those lengths include a novel mechanism that uses what\u2019s known as a <a href=\"https:\/\/www.netsparker.com\/blog\/web-security\/understanding-reverse-shells\/\">reverse shell<\/a> to proxy communications with control servers through the Fastly content distribution network. Another technique is <a href=\"https:\/\/www.infoblox.com\/glossary\/dns-tunneling\/#:~:text=DNS%20Tunneling%20is%20a%20method,in%20DNS%20queries%20and%20responses.&amp;text=DNS%20tunneling%20enables%20these%20cybercriminals,channel%20that%20bypasses%20most%20firewalls.\">DNS tunneling<\/a>, something that JFrog said it had never seen before in malicious software uploaded to PyPI.<\/p>\n<h2>A powerful vector<\/h2>\n<p>\u201cPackage managers are a growing and powerful vector for the unintentional installation of malicious code, and as we discovered with these 11 new PyPI packages, attackers are getting more sophisticated in their approach, Shachar Menashe, senior director of JFrog research, wrote in an email. \u201cThe advanced evasion techniques used in these malware packages, such as novel exfiltration or even DNS tunneling (the first we\u2019ve seen in packages uploaded to PyPI) signal a disturbing trend that attackers are becoming stealthier in their attacks on open source software.\u201d<\/p>\n<p>The researchers said that PyPI quickly removed all malicious packages once JFrog reported them.<\/p>\n<p>Use of open source repositories to push malware dates back to <a href=\"https:\/\/arstechnica.com\/information-technology\/2017\/09\/devs-unknowingly-use-malicious-modules-put-into-official-python-repository\/\">at least 2016<\/a>, when a college student uploaded malicious packages to PyPI, RubyGems, and npm. He gave the packages names that were similar to widely used packages already submitted by other users.<\/p>\n<p>Over a span of several months, his imposter code was executed more than 45,000 times on more than 17,000 separate domains, and more than half the time, his code was given all-powerful administrative rights. Two of the affected domains ended in .mil, an indication that people inside the US military may have run his script.<\/p>\n<aside class=\"ad_wrapper\" aria-label=\"In Content advertisement\"> <span class=\"ad_notice\">Advertisement <\/span> <\/aside>\n<p>In 2017, Slovakia\u2019s National Security Authority reported finding that malicious packages downloaded from PyPI had <a href=\"https:\/\/arstechnica.com\/information-technology\/2017\/09\/devs-unknowingly-use-malicious-modules-put-into-official-python-repository\/\">been incorporated into multiple pieces of production software<\/a> over a course of three months. Since then, there has been an almost <a href=\"https:\/\/arstechnica.com\/information-technology\/2018\/11\/hacker-backdoors-widely-used-open-source-software-to-steal-bitcoin\/\">countless<\/a> <a href=\"https:\/\/arstechnica.com\/information-technology\/2020\/04\/725-bitcoin-stealing-apps-snuck-into-ruby-repository\/\">number<\/a> of <a href=\"https:\/\/arstechnica.com\/gadgets\/2021\/06\/counterfeit-pypi-packages-with-5000-downloads-installed-cryptominers\/\">instances<\/a> of <a href=\"https:\/\/arstechnica.com\/information-technology\/2019\/08\/the-year-long-rash-of-supply-chain-attacks-against-open-source-is-getting-worse\/\">malware<\/a> being sneaked into repositories.<\/p>\n<p>In July, JFrog found malicious PyPI packages, downloaded more than 30,000 times, that carried out a range of nefarious activities, including stealing credit card data and injecting malicious code on infected machines.<br \/>\nEarlier this year, a researcher developed a <a href=\"https:\/\/arstechnica.com\/gadgets\/2021\/03\/more-top-tier-companies-targeted-by-new-type-of-potentially-serious-attack\/\">new type of supply chain attack<\/a> that can have serious consequences. The so-called \u201cdependency confusion attacks\u201d work by uploading malicious packages to public code repositories and giving them names that are identical to legitimate packages stored in the internal repository of Microsoft, Apple, or another large software developer. Developers\u2019 software-management apps often favor external code libraries over internal ones, so they download and use the malicious package rather than the trusted one.<\/p>\n<h2>From attacker to victim via Fastly<\/h2>\n<p>Now, these types of attacks are getting harder to detect. The biggest advance in subterfuge the researchers found was in two packages, one called \u201cimportantpackage\u201d (or alternatively \u201cimportant-package\u201d) and the other called \u201c10Cent10\u201d (or \u201c10Cent11\u201d). The packages use the Fastly CDN to disguise communications between the infected machine and a control server.<\/p>\n<p>The malicious code hiding in the packages causes an HTTPS request to be sent to pypi.python.org in a way that\u2019s indistinguishable from a legitimate request to PyPI. The requests eventually are rerouted by Fastly as an HTTP request to the control server psec.forward.io.global.prod.fastly.net. The server then sends replies through the same setup, allowing for two-way communication. Fastly makes it easy for people to register their domains with the service. In many cases, registration can even be done anonymously.<\/p>\n<aside class=\"ad_wrapper\" aria-label=\"In Content advertisement\"> <span class=\"ad_notice\">Advertisement <\/span> <\/aside>\n<figure class=\"image shortcode-img center large\"><a href=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/11\/malware-diagram.png\" class=\"enlarge\" data-height=\"378\" data-width=\"897\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/11\/malware-diagram-640x270.png\" width=\"640\" height=\"270\" srcset=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/11\/malware-diagram.png 2x\"><\/a><figcaption class=\"caption\"><\/figcaption><\/figure>\n<p>JFrog researchers Andrey Polkovnychenko and Menashe explained:<\/p>\n<blockquote>\n<p>The PyPI infrastructure is hosted on the Fastly CDN. This hosting uses the <a href=\"https:\/\/varnish-cache.org\/\" target=\"_blank\" rel=\"noopener\">Varnish<\/a> transparent HTTP proxy to cache the communication between clients and the backend. The traffic first goes into a <strong>TLS terminator<\/strong> for decryption, so the Varnish proxy can inspect the contents of the HTTP packet. The proxy analyzes the HTTP headers from the user\u2019s request and redirects the request to the corresponding backend according to the <code>Host<\/code> header. The process then repeats itself in the reverse direction, allowing the malware to imitate duplex communication with PyPI.<\/p>\n<p>As a result, the command-and-control (C2) session is encrypted and signed with a legitimate server certificate, making it indistinguishable from communicating with legitimate PyPI resources.<\/p>\n<\/blockquote>\n<p>DNS tunneling, the other advanced evasion technique the researchers found, works using a DNS channel\u2014normally reserved for mapping domain names to IP addresses\u2014to send communications between an infected computer and a control server. DNS tunneling <a href=\"https:\/\/arstechnica.com\/information-technology\/2017\/03\/researchers-uncover-powershell-trojan-that-uses-dns-queries-to-get-its-orders\/\">isn\u2019t new<\/a>, but the researchers said it\u2019s the first time they have seen the technique used in malware uploaded to PyPI.<\/p>\n<p>The growing sophistication of the malicious code being sneaked into PyPI, and presumably other repositories, is an indication that its use in spreading malware is likely to continue. Developers who rely on public repositories should take extra care to ensure there are no typos or stray letters in the package name they\u2019re downloading.<\/p>\n<p> READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/32836\/Malware-Downloaded-From-PyPI-41-000-Times-Was-Surprisingly-Stealthy.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":44029,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[60],"tags":[9740],"class_list":["post-44028","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-packet-storm","tag-headlinemalwarelinuxbackdoor"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Malware Downloaded From PyPI 41,000 Times Was Surprisingly Stealthy 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Malware Downloaded From PyPI 41,000 Times Was Surprisingly Stealthy 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-11-19T16:39:23+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/06\/code-800x450.jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Malware Downloaded From PyPI 41,000 Times Was Surprisingly Stealthy\",\"datePublished\":\"2021-11-19T16:39:23+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\\\/\"},\"wordCount\":872,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/11\\\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy.jpg\",\"keywords\":[\"headline,malware,linux,backdoor\"],\"articleSection\":[\"Packet Storm\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\\\/\",\"name\":\"Malware Downloaded From PyPI 41,000 Times Was Surprisingly Stealthy 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/11\\\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy.jpg\",\"datePublished\":\"2021-11-19T16:39:23+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/11\\\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/11\\\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy.jpg\",\"width\":800,\"height\":450},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,malware,linux,backdoor\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinemalwarelinuxbackdoor\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Malware Downloaded From PyPI 41,000 Times Was Surprisingly Stealthy\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Malware Downloaded From PyPI 41,000 Times Was Surprisingly Stealthy 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\/","og_locale":"en_US","og_type":"article","og_title":"Malware Downloaded From PyPI 41,000 Times Was Surprisingly Stealthy 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-11-19T16:39:23+00:00","og_image":[{"url":"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/06\/code-800x450.jpeg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Malware Downloaded From PyPI 41,000 Times Was Surprisingly Stealthy","datePublished":"2021-11-19T16:39:23+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\/"},"wordCount":872,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy.jpg","keywords":["headline,malware,linux,backdoor"],"articleSection":["Packet Storm"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\/","url":"https:\/\/www.threatshub.org\/blog\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\/","name":"Malware Downloaded From PyPI 41,000 Times Was Surprisingly Stealthy 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy.jpg","datePublished":"2021-11-19T16:39:23+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy.jpg","width":800,"height":450},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,malware,linux,backdoor","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinemalwarelinuxbackdoor\/"},{"@type":"ListItem","position":3,"name":"Malware Downloaded From PyPI 41,000 Times Was Surprisingly Stealthy"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/44028","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=44028"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/44028\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/44029"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=44028"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=44028"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=44028"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}