{"id":50584,"date":"2023-02-15T17:29:21","date_gmt":"2023-02-15T17:29:21","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/34328\/Latest-Attack-On-PyPi-Users-Shows-Crooks-Are-Only-Getting-Better.html"},"modified":"2023-02-15T17:29:21","modified_gmt":"2023-02-15T17:29:21","slug":"latest-attack-on-pypi-users-shows-crooks-are-only-getting-better","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\/","title":{"rendered":"Latest Attack On PyPi Users Shows Crooks Are Only Getting Better"},"content":{"rendered":"<figure class=\"intro-image intro-left\"> <img decoding=\"async\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2022\/03\/skull-ones-zeros-cROPPED-800x464.jpeg\" alt=\"A skull and crossbones on a computer screen are surrounded by ones and zeroes.\"><figcaption class=\"caption\"><\/figcaption><\/figure>\n<aside id=\"social-left\" class=\"social-left\" aria-label=\"Read the comments or share this article\"> <a class=\"comment-count icon-comment-bubble-down\" href=\"https:\/\/arstechnica.com\/information-technology\/2023\/02\/451-malicious-packages-available-in-pypi-contained-crypto-stealing-malware\/?comments=1\"> <\/p>\n<h4 class=\"comment-count-before\">reader comments<\/h4>\n<p> <span class=\"comment-count-number\">51<\/span> <span class=\"visually-hidden\"> with <\/span> <\/a> <\/p>\n<div class=\"share-links\">\n<h4>Share this story<\/h4>\n<\/p><\/div>\n<\/aside>\n<p> <!-- cache hit 67:single\/related:91732acf7657a298a5a626121929b9df --><!-- empty --><\/p>\n<p>More than 400 malicious packages were recently uploaded to PyPI (Python Package Index), the official code repository for the Python programming language, in the latest indication that the targeting of software developers using this form of attack isn\u2019t a passing fad.<\/p>\n<p>All 451 packages <a href=\"https:\/\/blog.phylum.io\/phylum-discovers-revived-crypto-wallet-address-replacement-attack\">found recently<\/a> by security firm Phylum contained almost identical malicious payloads and were uploaded in bursts that came in quick succession. Once installed, the packages create a malicious JavaScript extension that loads each time a browser is opened on the infected device, a trick that gives the malware persistence over reboots.<\/p>\n<p>The JavaScript monitors the infected developer\u2019s clipboard for any cryptocurrency addresses that may be copied to it. When an address is found, the malware replaces it with an address belonging to the attacker. The objective: intercept payments the developer intended to make to a different party.<\/p>\n<p>In November, Phylum <a href=\"https:\/\/blog.phylum.io\/pypi-malware-replaces-crypto-addresses-in-developers-clipboard\">identified dozens<\/a> of packages, downloaded hundreds of times, that used highly encoded JavaScript to surreptitiously do the same thing. Specifically, it:<\/p>\n<ul>\n<li aria-level=\"1\">Created a textarea on the page<\/li>\n<li aria-level=\"1\">Pasted any clipboard contents to it<\/li>\n<li aria-level=\"1\">Used a series of regular expressions to search for common cryptocurrency address formats<\/li>\n<li aria-level=\"1\">Replaced any identified addresses with the attacker-controlled addresses in the previously created textarea<\/li>\n<li aria-level=\"1\">Copied the textarea to the clipboard<\/li>\n<\/ul>\n<p>\u201cIf at any point a compromised developer copies a wallet address, the malicious package will replace the address with an attacker-controlled address,\u201d Phylum Chief Technical Officer Louis Lang wrote in the November post. \u201cThis surreptitious find\/replace will cause the end user to inadvertently send their funds to the attacker.\u201d<\/p>\n<h2>New obfuscation method<\/h2>\n<p>Besides vastly increasing the number of malicious packages uploaded, the latest campaign also uses a significantly different way to cover its tracks. Whereas the packages disclosed in November used encoding to conceal the behavior of the JavaScript, the new packages write function and variable identifiers in what appear to be random 16-bit combinations of Chinese language ideographs found in the following table:<\/p>\n<aside class=\"ad_wrapper\" aria-label=\"In Content advertisement\"> <span class=\"ad_notice\">Advertisement <\/span> <\/aside>\n<table>\n<thead>\n<tr>\n<th>Unicode code point<\/th>\n<th>Ideograph<\/th>\n<th>Definition<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>0x4eba<\/td>\n<td>\u4eba<\/td>\n<td>man; people; mankind; someone else<\/td>\n<\/tr>\n<tr>\n<td>0x5200<\/td>\n<td>\u5200<\/td>\n<td>knife; old coin; measure<\/td>\n<\/tr>\n<tr>\n<td>0x53e3<\/td>\n<td>\u53e3<\/td>\n<td>mouth; open end; entrance, gate<\/td>\n<\/tr>\n<tr>\n<td>0x5973<\/td>\n<td>\u5973<\/td>\n<td>woman, girl; feminine<\/td>\n<\/tr>\n<tr>\n<td>0x5b50<\/td>\n<td>\u5b50<\/td>\n<td>child; fruit, seed of<\/td>\n<\/tr>\n<tr>\n<td>0x5c71<\/td>\n<td>\u5c71<\/td>\n<td>mountain, hill, peak<\/td>\n<\/tr>\n<tr>\n<td>0x65e5<\/td>\n<td>\u65e5<\/td>\n<td>sun; day; daytime<\/td>\n<\/tr>\n<tr>\n<td>0x6708<\/td>\n<td>\u6708<\/td>\n<td>moon; month<\/td>\n<\/tr>\n<tr>\n<td>0x6728<\/td>\n<td>\u6728<\/td>\n<td>tree; wood, lumber; wooden<\/td>\n<\/tr>\n<tr>\n<td>0x6c34<\/td>\n<td>\u6c34<\/td>\n<td>water, liquid, lotion, juice<\/td>\n<\/tr>\n<tr>\n<td>0x76ee<\/td>\n<td>\u76ee<\/td>\n<td>eye; look, see; division, topic<\/td>\n<\/tr>\n<tr>\n<td>0x99ac<\/td>\n<td>\u99ac<\/td>\n<td>horse; surname<\/td>\n<\/tr>\n<tr>\n<td>0x9a6c<\/td>\n<td>\u9a6c<\/td>\n<td>horse; surname<\/td>\n<\/tr>\n<tr>\n<td>0x9ce5<\/td>\n<td>\u9ce5<\/td>\n<td>bird<\/td>\n<\/tr>\n<tr>\n<td>0x9e1f<\/td>\n<td>\u9e1f<\/td>\n<td>bird<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Using this table, the line of code<\/p>\n<pre class=\"language-python\"><code>''.join(map(getattr(__builtins__, oct.__str__()[-3 &lt;&lt; 0] + hex.__str__()[-1 &lt;&lt; 2] + copyright.__str__()[4 &lt;&lt; 0]), [(((1 &lt;&lt; 4) - 1) &lt;&lt; 3) - 1, ((((3 &lt;&lt; 2) + 1)) &lt;&lt; 3) + 1, (7 &lt;&lt; 4) - (1 &lt;&lt; 1), ((((3 &lt;&lt; 2) + 1)) &lt;&lt; 2) - 1, (((3 &lt;&lt; 3) + 1) &lt;&lt; 1)]))\n<\/code><\/pre>\n<p>creates the built-in function <code>chr<\/code> and maps the function to the list of integers <code>[119, 105, 110, 51, 50]<\/code>. Then the line combines it into a string that ultimately creates <code>'win32'<\/code>.<\/p>\n<p>Phylum researchers explained:<\/p>\n<blockquote>\n<p>We can see a series of these kinds of calls <code>oct.__str__()[-3 &lt;&lt; 0]<\/code>. The <code>[-3 &lt;&lt; 0]<\/code> evaluates to <code>[-3]<\/code> and <code>oct.__str__()<\/code> evaluates to the string <code>'&lt;built-in function oct&gt;'<\/code>. Using Python\u2019s index operator <code>[]<\/code> on a string with a <code>-3<\/code> will grab the 3rd character from the end of the string, in this case <code>'&lt;built-in function oct&gt;'[-3]<\/code> will evaluate to <code>'c'<\/code>. Continuing with this on the other 2 here gives us <code>'c' + 'h' + 'r'<\/code> and simply evaluating the complex bitwise arithmetic tacked on to the end leaves us with:<\/p>\n<pre class=\"language-javascript\"><code>''.join(map(getattr(__builtins__, 'c' + 'h' + 'r'), [119, 105, 110, 51, 50]))<\/code><\/pre>\n<p>The <code>getattr(__builtins__, 'c' + 'h' + 'r')<\/code> just gives us the built-in function <code>chr<\/code> and then it maps <code>chr<\/code> to the list of ints <code>[119, 105, 110, 51, 50]<\/code> and then joins it all together into a string ultimately giving us <code>'win32'<\/code>. This technique is continued throughout the entirety of the code.<\/p>\n<\/blockquote>\n<p>While giving the appearance of highly obfuscated code, the technique is ultimately easy to defeat, the researchers said, simply by observing what the code does when it runs.<\/p>\n<p>The latest batch of malicious packages attempts to capitalize on typos developers make when downloading one of these legitimate packages:<\/p>\n<ul>\n<li aria-level=\"1\">bitcoinlib<\/li>\n<li aria-level=\"1\">ccxt<\/li>\n<li aria-level=\"1\">cryptocompare<\/li>\n<li aria-level=\"1\">cryptofeed<\/li>\n<li aria-level=\"1\">freqtrade<\/li>\n<li aria-level=\"1\">selenium<\/li>\n<li aria-level=\"1\">solana<\/li>\n<li aria-level=\"1\">vyper<\/li>\n<li aria-level=\"1\">websockets<\/li>\n<li aria-level=\"1\">yfinance<\/li>\n<li aria-level=\"1\">pandas<\/li>\n<li aria-level=\"1\">matplotlib<\/li>\n<li aria-level=\"1\">aiohttp<\/li>\n<li aria-level=\"1\">beautifulsoup<\/li>\n<li aria-level=\"1\">tensorflow<\/li>\n<li aria-level=\"1\">selenium<\/li>\n<li aria-level=\"1\">scrapy<\/li>\n<li aria-level=\"1\">colorama<\/li>\n<li aria-level=\"1\">scikit-learn<\/li>\n<li aria-level=\"1\">pytorch<\/li>\n<li aria-level=\"1\">pygame<\/li>\n<li aria-level=\"1\">pyinstaller<\/li>\n<\/ul>\n<p>Packages that target the legitimate vyper package, for instance, used 13 file names that omitted or duplicated a single character or transposed two characters of the correct name:<\/p>\n<ul>\n<li aria-level=\"1\">yper<\/li>\n<li aria-level=\"1\">vper<\/li>\n<li aria-level=\"1\">vyer<\/li>\n<li aria-level=\"1\">vype<\/li>\n<li aria-level=\"1\">vvyper<\/li>\n<li aria-level=\"1\">vyyper<\/li>\n<li aria-level=\"1\">vypper<\/li>\n<li aria-level=\"1\">vypeer<\/li>\n<li aria-level=\"1\">vyperr<\/li>\n<li aria-level=\"1\">yvper<\/li>\n<li aria-level=\"1\">vpyer<\/li>\n<li aria-level=\"1\">vyepr<\/li>\n<li aria-level=\"1\">vypre<\/li>\n<\/ul>\n<p>\u201cThis technique is trivially easy to automate with a script (we leave this as an exercise for the reader), and as the length of the name of the legitimate package increases, so do the possible typosquats,\u201d the researchers wrote. \u201cFor example, our system detected 38 typosquats of the <code>cryptocompare<\/code> package published nearly simultaneously by the user named <code>pinigin.9494<\/code>.\u201d<\/p>\n<p>The availability of malicious packages in legitimate code repositories that closely resemble the names of legitimate packages dates back to at least 2016 when a college student <a href=\"https:\/\/arstechnica.com\/information-technology\/2016\/06\/college-student-schools-govs-and-mils-on-perils-of-arbitrary-code-execution\/\">uploaded 214 booby-trapped packages<\/a> to the PyPI, RubyGems, and NPM repositories that contained slightly modified names of legitimate packages. The result: The imposter code was executed more than 45,000 times on more than 17,000 separate domains, and more than half were given all-powerful administrative rights. So-called typosquatting attacks <a href=\"https:\/\/arstechnica.com\/information-technology\/2021\/12\/malicious-packages-sneaked-into-npm-repository-stole-discord-tokens\/\">have<\/a> <a href=\"https:\/\/arstechnica.com\/information-technology\/2020\/04\/725-bitcoin-stealing-apps-snuck-into-ruby-repository\/\">flourished<\/a> <a href=\"https:\/\/arstechnica.com\/gadgets\/2021\/07\/malicious-pypi-packages-caught-stealing-developer-data-and-injecting-code\/\">ever<\/a> <a href=\"https:\/\/arstechnica.com\/gadgets\/2021\/06\/counterfeit-pypi-packages-with-5000-downloads-installed-cryptominers\/\">since<\/a>.<\/p>\n<p>The names of all 451 malicious packages the Phylum researchers found are included in <a href=\"https:\/\/blog.phylum.io\/phylum-discovers-revived-crypto-wallet-address-replacement-attack\">the blog post<\/a>. It\u2019s not a bad idea for anyone who intended to download one of the legitimate packages targeted to double-check that they didn\u2019t inadvertently obtain a malicious doppelganger.<\/p>\n<p> READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/34328\/Latest-Attack-On-PyPi-Users-Shows-Crooks-Are-Only-Getting-Better.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":50585,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[60],"tags":[6626],"class_list":["post-50584","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-packet-storm","tag-headlinemalwarebackdoor"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Latest Attack On PyPi Users Shows Crooks Are Only Getting Better 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Latest Attack On PyPi Users Shows Crooks Are Only Getting Better 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-02-15T17:29:21+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2022\/03\/skull-ones-zeros-cROPPED-800x464.jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Latest Attack On PyPi Users Shows Crooks Are Only Getting Better\",\"datePublished\":\"2023-02-15T17:29:21+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\\\/\"},\"wordCount\":852,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better.jpg\",\"keywords\":[\"headline,malware,backdoor\"],\"articleSection\":[\"Packet Storm\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\\\/\",\"name\":\"Latest Attack On PyPi Users Shows Crooks Are Only Getting Better 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better.jpg\",\"datePublished\":\"2023-02-15T17:29:21+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better.jpg\",\"width\":800,\"height\":464},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,malware,backdoor\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinemalwarebackdoor\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Latest Attack On PyPi Users Shows Crooks Are Only Getting Better\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Latest Attack On PyPi Users Shows Crooks Are Only Getting Better 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\/","og_locale":"en_US","og_type":"article","og_title":"Latest Attack On PyPi Users Shows Crooks Are Only Getting Better 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-02-15T17:29:21+00:00","og_image":[{"url":"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2022\/03\/skull-ones-zeros-cROPPED-800x464.jpeg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Latest Attack On PyPi Users Shows Crooks Are Only Getting Better","datePublished":"2023-02-15T17:29:21+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\/"},"wordCount":852,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better.jpg","keywords":["headline,malware,backdoor"],"articleSection":["Packet Storm"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\/","url":"https:\/\/www.threatshub.org\/blog\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\/","name":"Latest Attack On PyPi Users Shows Crooks Are Only Getting Better 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better.jpg","datePublished":"2023-02-15T17:29:21+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better.jpg","width":800,"height":464},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/latest-attack-on-pypi-users-shows-crooks-are-only-getting-better\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,malware,backdoor","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinemalwarebackdoor\/"},{"@type":"ListItem","position":3,"name":"Latest Attack On PyPi Users Shows Crooks Are Only Getting Better"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/50584","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=50584"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/50584\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/50585"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=50584"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=50584"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=50584"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}