Supply Chain Attackshigh

PyPI Malicious Packages: Thousands of Typosquatting Packages Steal Developer Credentials

Researchers discovered hundreds of malicious packages in the Python Package Index (PyPI) using names nearly identical to popular libraries. When installed, they exfiltrated developer credentials, AWS keys, and system information.

PyPI / Python Ecosystem·2022·2 min read

Attack Chain

  1. 1
    PyPI package name typosquatted
  2. 2
    Developer installs fake package
  3. 3
    Malicious code runs on install
  4. 4
    AWS/SSH credentials stolen
  5. 5
    Package reported and removed

Background

PyPI hosts over 400,000 packages used by Python developers worldwide. Because developers typically install packages by name (pip install requests), a package with a name like "requets" or "requestss" may be installed accidentally. This typosquatting technique has been used in hundreds of campaigns.

The Attack

In 2022, security researchers from Checkmarx, Sonatype, and others discovered waves of malicious PyPI packages. One campaign uploaded over 450 packages in a single day. Package names imitated popular libraries: "colourama" (vs colorama), "falsk" (vs flask), "libpng2" (vs libpng), "aiohttp2" (vs aiohttp). Installation scripts executed immediately, collecting environment variables, ~/.aws/credentials files, SSH keys, browser stored passwords, and system information, sending them to attacker-controlled servers. Some packages were dormant — clean at install time but updated later with malicious code.

Response

PyPI's security team removed malicious packages when reported. PyPI introduced mandatory 2FA for critical packages' maintainers in 2023. The Python Software Foundation began investing in automated malicious package detection. Several major campaigns were attributed to nation-state and cybercriminal actors.

Outcome

Hundreds of thousands of installations of malicious packages were logged before removal. AWS credential theft from developer machines gives attackers access to production cloud infrastructure. The campaigns drove adoption of lock files, package hash verification, and dependency auditing tools.

Key Takeaways

  1. Use lock files and verify dependency hashes — pip install should use pinned, verified versions in production
  2. Never install packages by typing names manually — use curated, reviewed dependency files
  3. AWS credentials in ~/.aws/credentials files are high-value targets on developer machines — use IAM roles and temporary credentials where possible
  4. Automated PyPI package scanners like pip-audit and Snyk should be part of every Python development workflow

How to Prevent This

All guides
intermediatefeatured

Pin dependencies to exact versions with hash verification in all production lockfiles

npm install without a lockfile, or pip install without hash verification, installs "latest" — which could be a malicious package that was uploaded minutes ago. The PyPI typosquatting campaigns uploaded hundreds of packages with names nearly identical to popular libraries. Dependency pinning (exact version numbers) prevents automatic upgrades to compromised versions. Hash verification (SHA-256 hashes of each package in the lockfile) ensures the package you install is byte-for-byte identical to what you tested. Use npm ci (instead of npm install) in CI/CD, which enforces lockfile integrity. Use pip install --require-hashes for Python.

See: PyPI TyposquattingSupply Chain Security
PyPItyposquattingmalicious packagescredential theftopen source

More in Supply Chain Attacks

2020critical

SolarWinds Supply Chain Attack

2 min readSupply Chain Attacks
2011critical

RSA SecurID: When Two-Factor Authentication Gets Hacked

2 min readSupply Chain Attacks
2017critical

CCleaner Backdoor: 2.27 Million Downloads Infected via Legitimate Software Update

2 min readSupply Chain Attacks