{ "id": "4d8cb702-56f4-4b6d-b083-7aca774a0dbb", "created_at": "2026-04-06T00:09:31.707531Z", "updated_at": "2026-04-10T03:20:35.97737Z", "deleted_at": null, "sha1_hash": "32444a0acf4a067a35508cbd61039ece96e0bfd5", "title": "Two more malicious Python packages in the PyPI", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 576535, "plain_text": "Two more malicious Python packages in the PyPI\r\nBy Leonid Bezvershenko\r\nPublished: 2022-08-16 · Archived: 2026-04-05 13:38:08 UTC\r\nOn August 8, CheckPoint published a report on ten malicious Python packages in the Python Package Index (PyPI), the\r\nmost popular Python repository among software developers. The malicious packages were intended to steal developers’\r\npersonal data and credentials.\r\nFollowing this research, we used our internal automated system for monitoring open-source repositories and discovered two\r\nother malicious Python packages in the PyPI. They were masquerading as one of the most popular open-source packages\r\nnamed “requests“.\r\nTimeline of uploaded packages:\r\nPackage name Version Timestamp (UTC)\r\npyquest 2.28.1 2022-07-30 10:11:47.000\r\npyquest 2.28.2 2022-07-30 10:15:28.000\r\npyquest 2.28.3 2022-07-30 10:19:14.000\r\nultrarequests 2.28.3 2022-07-30 10:25:41.000\r\nThe attacker used a description of the legitimate “requests” package in order to trick victims into installing a malicious one.\r\nThe description contains faked statistics, as if the package was installed 230 million times in a month and has more than\r\n48000 “stars” on GitHub. The project description also references the web pages of the original “requests” package, as well\r\nas the author’s email. All mentions of the legitimate package’s name have been replaced with the name of the malicious one.\r\nhttps://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/\r\nPage 1 of 6\n\nAfter downloading the malicious packages, it becomes clear that the source code is nearly identical to the code of the\r\nlegitimate “requests” package, except for one file: exception.py. In the malicious package, this script was last modified on\r\nJuly 30, exactly on the date of publication of the malicious package.\r\nhttps://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/\r\nPage 2 of 6\n\nThe malicious payload is a Base64-encoded Python script hidden in the “HTTPError” class. The script writes another\r\nPython one-liner script into a temporary file and then runs that file via the system.start() function. Then that one-liner script\r\ndownloads the next-stage script from https://zerotwo-best-waifu[.]online/778112985743251/wap/enner/injector and executes\r\nit.\r\nDownloader\r\nThe next stage is a downloader obfuscated with a publicly available tool named Hyperion. Obfuscation is done using\r\nmultiple techniques, such as renaming variables and library functions, adding mixed boolean-arithmetic expressions and\r\njunk code, and compressing the code chunks with the zlib library.\r\nThe downloader terminates if the OS name is not “nt” (Windows). It randomly selects one of the directories under C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Roaming or C:\\Users\\\u003cusername\u003e\\AppData\\Local, generates a random eight-characters string\r\nconsisting of the “bcdefghijklmnopqrstuvwxyz” characters and randomly picks one of extensions from the following list:\r\n['.dll', '.png', '.jpg', '.gay', '.ink', '.url', '.jar', '.tmp', '.db', '.cfg']\r\nThen the malware downloads the final stage payload from https://zerotwo-best-waifu[.]online/778112985743251/wap/shatlegay/stealer123365, saves it to the previously generated location and executes it.\r\nIn order to achieve persistence on the infected machine, the malware creates a registry value with name “Realtek HD Audio\r\nUniversal Service” in the HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run Windows system registry branch.\r\nThe script searches for an existing executable in the %system32% directory, named SecurityHealthSystray.exe or the\r\nSystemSettingsAdminFlows.exe, adds a “\u0026” character (to ensure sequential execution in a command-line string), and then\r\nadds the location of the Python interpreter with the location of the malicious script. It is worth noting that this method does\r\nnot work properly, as the system starts only the first executable, and the persistence is not actually achieved.\r\nhttps://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/\r\nPage 3 of 6\n\nC:\\Windows\\System32\\\u003cSecurityHealthSystray.exe | SystemSettingsAdminFlows.exe\u003e \u0026 \u003cPython interpreter path\u003e\r\n\u003cgenerated path for dropped final payload\u003e\r\nFinal payload: W4SP Stealer\r\nThe final payload is a Trojan written in Python and obfuscated with the same obfuscator as the downloader. The malware is\r\ndubbed “W4SP Stealer” by its author in the code.\r\nUpon launching, the stealer identifies the external IP address of the victim’s machine by making a GET request to\r\nhttps://api.ipify.org and installs two legitimate PyPI packages – “requests” and “pycryptodome” in order to send exfiltrated\r\ndata to the operator and work with cryptography for decrypting cookies and passwords from browsers. Then the malware\r\nstarts collecting Discord tokens, saved cookies and passwords from browsers in separate threads.\r\nCollected passwords and cookies are stored in the files %TEMP%\\wppassw.txt and %TEMP%\\wpcook.txt in the following\r\nformat:\r\nUR1: \u003cURL\u003e | U53RN4M3: \u003cUSERNAME\u003e | P455W0RD: \u003cDECRYPTED_PASSWORD\u003e\r\nH057 K3Y: \u003cHOST_KEY\u003e | N4M3: \u003cNAME\u003e| V41U3: \u003cDECRYPTED_COOKIE\u003e\r\nAll files created by the stealer on the victim’s machine start with the line: “\u003c–W4SP STEALER ON TOP–\u003e”.  All collected\r\ndata is sent to the operator via a Discord webhook\r\n(https://discord[.]com/api/webhooks/1001296979948740648/4wqCErLU3BVeKWnxDA70Gns5vcfxh5OCb3YDIFZaFujqfSRIwHH4YIu3aLO\r\nand rendered in a prettified format:\r\nhttps://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/\r\nPage 4 of 6\n\nThe stealer also creates and sends a list of saved browser credentials for the URLs containing keywords “mail”, “card”,\r\n“bank”, “buy”, “sell”, etc. (see Appendix for a full list). Apart from that, it gathers data from the MetaMask, Atomic and\r\nExodus wallets, as well as Steam and Minecraft credentials.\r\nHaving collected credentials, the stealer starts traversing the victim’s directories named Downloads, Documents and\r\nDesktop, looking for filenames containing the following words:\r\n'passw', 'mdp', 'motdepasse', 'mot de passe', 'login', 'paypal',\r\n'banque', 'account', 'metamask', 'wallet', 'crypto', 'exodus',\r\n'discord', '2fa', 'code', 'memo', 'compte', 'token'\r\nInterestingly, this list contains multiple French words: “mot de passe” (password), “mdp” (abbreviation for “mot de passe”),\r\n“banque” (bank), “compte” (account). The matching files are then uploaded to the same Discord channel.\r\nThe stealer also downloads a JavaScript payload from zerotwo-best-waifu[.]online/778112985743251/wap/dsc_injection,\r\nwriting it into Discord’s index.js file. Then it kills the running discord.exe process, so that the user has to restart Discord,\r\nthus activating the payload.\r\nsubprocess.Popen('taskkill /im discord.exe /t /f',shell=true)\r\nThe injected script monitors the victim’s actions such, as changing their email address, password or billing information. The\r\nupdated information is also sent to the Discord channel.\r\nWe have already reported these two packages to the PyPI security team and Snyk Vulnerability Database.\r\nKaspersky solutions detect the threat with the following verdicts:\r\nTrojan.Python.Inject.d\r\nTrojan.Python.Agent.gj\r\nIOCs\r\nSamples\r\nURLs\r\nhttps://zerotwo-best-waifu[.]online/778112985743251/wap/enner/injector\r\nhttps://zerotwo-best-waifu[.]online/778112985743251/wap/shatlegay/stealer123365\r\nhttps://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/\r\nPage 5 of 6\n\nhttps://zerotwo-best-waifu[.]online/778112985743251/wap/dsc_injection\r\nAppendix\r\n[‘mail’, ‘[coinbase](https://coinbase.com)’, ‘[gmail](https://gmail.com)’, ‘[steam](https://steam.com)’, ‘[discord]\r\n(https://discord.com)’, ‘[riotgames](https://riotgames.com)’, ‘[youtube](https://youtube.com)’, ‘[instagram]\r\n(https://instagram.com)’, ‘[tiktok](https://tiktok.com)’, ‘[twitter](https://twitter.com)’, ‘(https://facebook.com)’, ‘card’,\r\n‘[epicgames](https://epicgames.com)’, ‘[spotify](https://spotify.com)’, ‘[yahoo](https://yahoo.com)’, ‘[roblox]\r\n(https://roblox.com)’, ‘[twitch](https://twitch.com)’, ‘[minecraft](https://minecraft.net)’, ‘bank’, ‘[paypal]\r\n(https://paypal.com)’, ‘[origin](https://origin.com)’, ‘[amazon](https://amazon.com)’, ‘[ebay](https://ebay.com)’,\r\n‘[aliexpress](https://aliexpress.com)’, ‘[playstation](https://playstation.com)’, ‘[hbo](https://hbo.com)’, ‘[xbox]\r\n(https://xbox.com)’, ‘buy’, ‘sell’, ‘[binance](https://binance.com)’, ‘[hotmail](https://hotmail.com)’, ‘[outlook]\r\n(https://outlook.com)’, ‘[crunchyroll](https://crunchyroll.com)’, ‘[telegram](https://telegram.com)’, ‘[pornhub]\r\n(https://pornhub.com)’, ‘[disney](https://disney.com)’, ‘[expressvpn](https://expressvpn.com)’, ‘crypto’, ‘[uber]\r\n(https://uber.com)’, ‘[netflix](https://netflix.com)’]\r\nSource: https://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/\r\nhttps://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/" ], "report_names": [ "107218" ], "threat_actors": [], "ts_created_at": 1775434171, "ts_updated_at": 1775791235, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/32444a0acf4a067a35508cbd61039ece96e0bfd5.pdf", "text": "https://archive.orkl.eu/32444a0acf4a067a35508cbd61039ece96e0bfd5.txt", "img": "https://archive.orkl.eu/32444a0acf4a067a35508cbd61039ece96e0bfd5.jpg" } }