Three malicious PyPI packages found with over 14,000 downloads

It’s a long-held adage that anything you install from the Python Package Index (PyPI) should be safe. But it turns out, this isn’t always true and there are many packages with malicious code being made available on PyPI without any real checks or controls in place to prevent abuse of these putative trusted repositories.

A “malicious python libraries” was found on the Python Package Index (PyPI). The three packages have been downloaded over 14,000 times.

Three malicious PyPI packages found with over 14,000 downloads

Three fraudulent Python packages have been deleted from the Python Package Index (PyPI) registry, totaling over 14,000 downloads and mirrors. 

Andrew Scott, a developer and senior product manager at Palo Alto Networks, found these packages while undertaking a wide-scale static analysis of “a big majority of the packages on PyPI,” as he defines it. Scott aided his investigation using the Bandersnatch open-source project from Python Packaging Authority. 

This finding is part of a growing practice of attackers slipping harmful code into codebases for unwary developers to download and incorporate into their apps. 17 fraudulent NPM packages were recently discovered, and the PyPI repository has previously been attacked with crypto-mining malware. 

In the news: Meta’s virtual reality social network is now available to everyone.


Andrew avoided very big distributions and only downloaded the most recent versions of the packages, setting a smaller number of workers to prevent overloading PyPI servers, while downloading around 200,000 of the 330,000 packages available on PyPI.

These are the malware packages that he identified. 

Name of the package Maintainer Description
aws-login0tool davycrockett5729492 Candidate for typosquatting On Windows, it installs trojans.
dpp-client cutoffurmind Extracts variables and files from the environment.
dpp-client1234 cutoffurmind Extracts variables and files from the environment.

In what looks to be a typosquatting effort, the aws-login0tool program targets Windows users. The package downloads a 64-bit executable file called normal.exe after installation, which has been classified as a trojan by 32 security vendors and one sandbox on VirusTotal. 

According to TheBleepingComputer, the PyPI package page for this package included a caution advising users not to download it, stating, “Please don’t use this… It has a negative impact… Oh, what a pity:(“

The other two packages, dpp-client and dpp-client1234, target Linux workstations and transmit environment variables and directory listings to pt.traktrain.com.

Three-malicious-PyPI-packages-found-with-over-14000-downloads

The packages seek for a few folders in particular, including /mnt/mesos, which may mean they’re searching for Apache Mesos files. The Apache Foundation created Mesos, an open-source cluster management software. 

At the time of writing, the dpp-client package has been downloaded 10,194 times. So far, 1536 people have downloaded the dpp-client1234 package. Over 3000 people have downloaded the aws-login0tool package. Keep in mind that these download statistics may include automatic mirrors as well as developer-generated downloads.

The description on their project sites included basic test keywords, suggesting that these packages were most likely part of a proof-of-concept effort. 

In the news: A zero-day Java library vulnerability affects Steam, iCloud, and Minecraft.

Memory-error-0-1766-8-Fixes

When he’s not writing/editing/shooting/hosting all things tech, he streams himself racing virtual vehicles. Yadullah may be reached at [email protected], or you can follow him on Instagram or Twitter.

Watch This Video-

The “py dateutil vs python-dateutil” is a problem that has been present for a while. The packages have over 14,000 downloads and are malicious in nature.

Frequently Asked Questions

Is there malware on PyPI?

A: The short answer is no. I do not believe that there are any known malicious packages on PyPI, the Python Package Index (https://pypi.python.org).

Can I trust PyPI?

A: PyPI is an acronym for The Python Package Index. It is a website that provides package information and downloads to many different operating systems. You can trust it but you should make sure the packages are trustworthy before you install them on your system.

Are all packages on PyPI safe?

A: All packages on PyPI are safe. This service is used by some large companies, like Google and Microsoft.

  • malicious packages
  • python dateutil malicious
  • pypi attack
  • jfrog pypi
  • python malware
You May Also Like