Cybersecurity researchers have discovered malicious packages in the Python Package Index (PYPI) repository, which can harvest sensitive developer-related information, particularly credentials, configuration data, and environment variables.
A package named Chimera-Sandbox-Extensions has collected 143 downloads and is targeting users of a service called Chimera Sandbox. This was released by Singapore’s Tech Company Grab in August last year, and promoted “experimentation and development of (machine learning) solutions.”
The package pretends to be a helper module for the Chimera Sandbox, but “it is intended to steal other sensitive information, such as credentials, CI/CD environment variables, and AWS tokens,” JFROG security researcher Guy Corolevski said in a report released last week.
Once installed, it attempts to connect to the external domain where the domain name was generated using the Domain Generation Algorithm (DGA) to download and run the next stage payload.
Specifically, malware obtains authentication tokens from the domain. This is used to send requests to the same domain and get a Python-based information steeler.
The Stealer Malware is equipped to suck up a wide range of data from infected machines. This is –
- JAMF receipts are records of software packages installed on managed computers by MANF Pro.
- Pod Sandbox Environment Authentication Token and GIT Information
- CI/CD information from environment variables
- zscaler host configuration
- Amazon Web Service Account Information and Tokens
- Public IP Address
- Common platform, user, and host information
The types of data collected by the malware indicate that it is primarily targeted at businesses and cloud infrastructure. Furthermore, extracting JAMF receipts also indicates that it can be targeted to Apple MacOS systems.
The collected information is returned to the same domain via post-requests, and the server then assesses whether the machine is a valuable target for further exploitation. However, JFrog said that he could not obtain the payload during analysis.
“The targeting approach adopted by this malware, along with the complexity of multi-stage target payloads, distinguishes it from the more common open source malware threats we have encountered so far, highlighting the recent advances made by malicious packages.
“This new refinement of malware highlights why development teams remain vigilant for updates (active security research) to protect against new threats and maintain software integrity.”
This disclosure is because SafeDep and Veracode detail the NPM packages riding on numerous malware designed to run remote code and download additional payloads. The package in question is listed below –
- eslint-config-airbnb-compat (676 download)
- TS-runtime-compat-check (1,588 downloads)
- Solder (983 download)
- @mediawave/lib (386 download)
All identified NPM packages were subsequently removed from NPM, but not before they were downloaded hundreds of times from the package registry.
Analyzing Eslint-Config-Airbnb-Compat in SafeDep reveals that the JavaScript library has a TS-Runtime-compat-Check listed as a dependency. The exact nature of the payload is unknown.
“This uses transient dependencies to implement multi-stage remote code execution attacks to hide malicious code,” says SafeDep researcher Kunal Singh.
Solder, on the other hand, is known to incorporate post-installation scripts into Package.json, and malicious code will run automatically as soon as the package is installed.
“At first glance, it’s hard to believe that this is actually a valid JavaScript,” said the Veracode threat research team. “It looks like a random collection of Japanese symbols at first glance. You can see that this particular obfuscation scheme uses Unicode characters as a sophisticated chain of variable names and dynamic code generation.”
Decrypting the script reveals an extra layer of obfuscation. This reveals the main features. Check if the compromised machine is Windows, and in that case run the PowerShell command to get the next stage payload from the remote server (“Firewall(.)Tel”).
This two-stage PowerShell script is also obscure and is designed to retrieve Windows batch scripts from another domain (“cdn.audiowave(.)org”) and configures the Windows Defender Antivirus exclusion list to avoid detection. Batch script paves the way to running .NET DLLs that reach PNG images hosted on IMGBB (“i.ibb(.)co”).
“(DLL) grabs the last two pixels from this image and then loops through some of the data contained within it,” Veracode says. “Eventually it’s built into memory in yet another .net dll.”
Additionally, the DLL is equipped to create task scheduler entries and has the ability to bypass user account control (UAC) using a combination of fodhelper.exe and programmatic identifier (ProGID), evade protection and avoid triggering security alerts to users.
The newly downloaded DLLs are Pulsar Rats, “Free Open Source Remote Management Tool for Windows”, and Quasar Rat variants.
“From the walls of Japanese characters to mice hidden within pixels in PNG files, the attackers went to extraordinary lengths, hiding the payload and nested deep layers to avoid detection,” Bellacode said. “While the ultimate objective of the attacker to deploy Pulsar rats remains unknown, the complete complexity of this delivery mechanism is a powerful indicator of malicious intent.”
Open Source Supply Chain Cryptographic Malware
The findings are the leading type of threat targeting the cryptocurrency and blockchain development ecosystem, consistent with reports from sockets identifying qualified steelers, cryptocurrency drainers, cryptojackers and clippers.
Some of these package examples are –
- Express-Dompurify and PumptoolforvolumeandComment that can harvest browser credentials and cryptocurrency wallet keys
- BS58JS drains the victim’s wallet, uses multi-hop transfers to obscure theft and irritates forensic traces.
- lsjglsjdv, asyncaiosignal, and raydium-sdk-liquidity-init act as clippers that replace threat actor controlled addresses to attackers, monitor the system clipboard of cryptocurrency wallet wallets, and replace them with threat actor control addresses to attackers.
“As Web3 development converges on mainstream software engineering, the attack surface of blockchain-centric projects is expanding in both scale and complexity,” says socket security researcher Kirill Boychenko.
“Financially motivated threat actors and state-sponsored groups are rapidly evolving their tactics to exploit the systematic weaknesses of the software supply chain. These campaigns are increasingly tailored to their repetitive, sustainable, and high-value targets.”
AI and slope stitching
The rise of artificial intelligence (AI) assisted coding, also known as vibe coding, unleashed another new threat in the form of slope sting. There, there is no large-scale language model (LLM) but can hallucinate more plausible package names than bad actors can weaponize to carry out supply chain attacks.
In a report last week, Trend Micro said it had observed “with confidence” a phantom Python package named Starlette-Reverse-Proxy “cook with confidence.” However, if an enemy uploads a package with the same name into the repository, it can have serious security consequences.
Additionally, the cybersecurity company noted that sophisticated coding agents and workflows such as Claude Code CLI, Openai Code CLI, and Cursor AI with Model Context Protocol (MCP)-validated validation can help reduce the risk of slopesting, but cannot be completely eliminated.
“When agents hallucinate dependencies or install unidentified packages, they create an opportunity for malicious actors to pre-register those same hallucination names in public registrations,” said security researcher Sean Park.
“An agent that enhances inference can reduce the speed of phantom proposals by about half, but they don’t completely eliminate them. Even atmospheric workflows reinforced with live MCP verification, achieve the lowest rate of slip-throughs, but miss the edge case.”
