Stealthy, Thieving Python Packages Slither Onto Windows Systems

A campaign thats been active since April has already racked up nearly 75,000 downloads, stealing data and cryptocurrency in the process.

A threat actor has been delivering a relentless campaign since early April to seed the software supply chain with hundreds of
malicious Python packages
aimed at stealing sensitive data and cryptocurrency from Windows systems.
The
packages
, delivered via various usernames on GitHub, have been downloaded nearly 75,000 times already, researchers from Checkmarx revealed
in a blog post
this week. They also cast a wide net in terms of the info they collect, with the capability to steal data from the target system, various applications and browsers, and even the users themselves.
Further, the campaign has what appears to be a lucrative monetization aspect: It targets cryptocurrency users by modifying crypto addresses to redirect transactions to the attacker, according to Checkmarx. In fact, one of the crypto wallet addresses accepting these transactions showed a six-figure amount during the time period that the malicious packages were active.
The sheer volume and persistence of these deployments hinted at an attacker with a well-crafted agenda, Checkmarx security researcher Yehuda Gelb wrote in the post.
Moreover, the attacker has shown a steady evolution in the sophistication of the packages, transitioning from plaintext to encryption to multilayered obfuscation — even secondary disassembly payloads.
The threat actors most recent packages adeptly dismantle system defenses, leaving it exposed and vulnerable, Gelb wrote.
The attacker employed a multiphase attack sequence, reflected in the activity of the malicious packages as they evolved since they initially appeared in early April.
In the beginning, the packages, written in plaintext, were deceptively transparent, according to Gelb. They would subtly integrate themselves into unsuspecting systems, all the while laying the groundwork for their malicious endeavors, he wrote.
Those activities began with a stealthy installation of dependencies and a subprocess that prevented any console window from surfacing to alert users, followed by an ability to sense the environment to cease activity at signs of detection.
Once this initial activity ended, the packages would set about their real task of collecting data from an infected system, extracting sensitive data including usernames, passwords, history, cookies, and payment information from Opera, Chrome, Microsoft Edge, Brave, and Yandex browsers. They also mined data from various apps, including Atomic, Exodus, Steam, and NationsGlory, packaging the data into ZIP files before extracting them.
Other capabilities of the packages during this initial phase included a search of the users directories for potentially valuable files and subsequent upload of finds to hxxps[:]//transfer[.]sh; theft of badges, phone numbers, email addresses, and more from Discord as well as from popular gaming platforms such as Minecraft and Roblox; and screenshot-capture to track real-time user activity.
The cryptocurrency element was also a hallmark of the first phase of the attacks. Malware spread through the packages would track the users clipboard, scanning for cryptocurrency addresses so they could be replaced with the attackers own.
Similar crypto addresses were found across the myriad of malicious packages hinting at a centralized strategy, channeling the redirected funds into a few primary collection points, Gelb noted.
The packages didnt stop there, but also would tamper with applications such as Exodus — a crypto wallet management app — to alter its core files to enable unrestricted data exfiltration, he wrote.
After the first wave of packages, the attacker added encryption to the plaintext of the malware released in the summer months, making its malicious functionality harder to detect, though at its core the behavior stayed the same.
The most recent packages took these deceptive practices even further, including dozens of layers of obfuscation that would hide secondary payloads fetched from an external source in the code.
Further, additional payloads included in the latest packages significantly extended the data collection and exfiltration capabilities of earlier packages, as well as included further evasion tactics that could prevent users from downloading antivirus software or checking files for viruses.
Attackers also added the ability to steal data from Telegram and pilfer data such as cryptocurrency wallets, system information, antivirus info, task list, Wi-Fi passwords, clipboard data, and specific files from directories like Desktop, Pictures, Documents, Music, Videos, and Downloads directly from the targeted machine, according to the researchers.
Threat actors increasingly are recognizing the value of
weaponizing open source packages
as a way to target the software supply chain and thus reach an enormous target base with significantly less effort than other types of attacks can require.
Python
, given its widespread use in software development, is an especially popular target for attackers, who have even gone so far as to
poison entire projects
based in the programming language.
Indeed, malware distribution through open source packages is an ongoing threat, one that requires organizations to maintain constant vigilance and adaptability to effectively protect against it, Gelb wrote.
The discovery of the recent Python campaign, in which the attacker constantly evolved to evade detection, highlights how important it is both for security professionals to share open source threat intelligence, and for developers to carefully vet any packages they download, particularly when they come from untrusted sources.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Stealthy, Thieving Python Packages Slither Onto Windows Systems