Security researchers have uncovered a sophisticated malware campaign targeting users of the Python Package Index (PyPI), Python’s official third-party software repository.
This latest attack vector involves several malicious packages disguised as time-related utilities, which are actually designed to steal sensitive information including cloud access tokens, API keys, and other credentials.
According to Reversing Labs post shared on X, the campaign, identified in early March 2025, involves multiple packages with names such as “time-utils”, “timeformat”, and “execution-time-async” that mimic legitimate time measurement libraries.
These packages employ a technique known as combosquatting, where attackers add plausible-sounding words to existing package names to deceive developers.
RL researchers detected a new malicious campaign targeting #PyPI users. Several packages are pretending to be “time” related utilities, but are actually used to steal sensitive data like cloud tokens. pic.twitter.com/SQSJEzaymF
— ReversingLabs (@ReversingLabs) March 13, 2025
RL researchers detected a new malicious campaign targeting For instance, the malicious package “execution-time-async” closely resembles the legitimate “execution-time” utility that measures code execution time and receives over 27,000 weekly downloads.
Upon installation, these packages appear to provide standard time formatting and measurement functionality while secretly executing malicious code in the background.
One such package contains the following seemingly innocent code:
Security experts note that the reversed endpoint URL in the code is designed to evade basic security scans.
When executed, this code sends system information to attacker-controlled servers.
Sophisticated Data Exfiltration Methods
This campaign is particularly concerned with its sophisticated exfiltration methods.
Rather than using easily detectable HTTP connections, the malware encrypts stolen data and transmits it through blockchain transactions via RPC endpoints to evade traditional network monitoring tools.
The malicious packages target AWS credentials, environment variables, and other cloud service tokens that could provide attackers with access to sensitive infrastructure.
This incident is part of a troubling trend of supply chain attacks targeting open-source repositories. Earlier this year, PyPI administrators had to temporarily suspend new user registrations and project creations for approximately 10 hours due to an influx of infostealer malware.
In February 2025, security researchers identified malicious packages named “deepseeek” and “deepseekai” that similarly collected user data and stole environment variables.
The current attack campaign has already affected developers across multiple countries, with the malicious packages collectively downloaded over 1,000 times before being removed from the repository.
Security experts recommend that organizations implement rigorous supply chain security practices, including package verification, network monitoring for suspicious outbound connections, and the use of private package repositories with strict vetting processes.
PyPI administrators continue to enhance security measures, but developers are advised to carefully verify all package sources, especially newly published ones with limited download history or minimal documentation.
Organizations should also regularly audit their Python environments and monitor for unauthorized network connections that might indicate compromise.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
The post New Campaign Attacking PyPI Users to Steal Sensitive Data Including Cloud Tokens appeared first on Cyber Security News.
The original article found on Cyber Security News Read More
.webp)