June 6, 2025
Malicious PyPI, npm, and Ruby Packages Exposed in Ongoing Open-Source Supply Chain Attacks
Several malicious packages have been uncovered across the npm, Python, and Ruby package repositories that drain funds from cryptocurrency wallets, erase entire codebases after installation, and exfiltrate Telegram API tokens, once again demonstrating the variety of supply chain threats lurking in open-source ecosystems. The findings come from multiple reports published by Checkmarx,

Several malicious packages have been uncovered across the npm, Python, and Ruby package repositories that drain funds from cryptocurrency wallets, erase entire codebases after installation, and exfiltrate Telegram API tokens, once again demonstrating the variety of supply chain threats lurking in open-source ecosystems.

The findings come from multiple reports published by Checkmarx, ReversingLabs, Safety, and Socket in recent weeks. The list of identified packages across these platforms are listed below –

Socket noted that the two malicious gems were published by a threat actor under the aliases Bùi nam, buidanhnam, and si_mobile merely days after Vietnam ordered a nationwide ban on the Telegram messaging app late last month for allegedly not cooperating with the government to tackle illicit activities related to fraud, drug trafficking, and terrorism.

“These gems silently exfiltrate all data sent to the Telegram API by redirecting traffic through a command-and-control (C2) server controlled by the threat actor,” Socket researcher Kirill Boychenko said. “This includes bot tokens, chat IDs, message content, and attached files.”

The software supply chain security company said the gems are “near-identical clones” of the legitimate Fastlane plugin “fastlane-plugin-telegram,” a widely used library to send deployment notifications to Telegram channels from CI/CD pipelines.

The malicious change introduced by the threat actor tweaks the network endpoint used to send and receive Telegram messages to a hard-coded server (“rough-breeze-0c37.buidanhnam95.workers[.]dev”) that effectively acts as a relay between the victim and the Telegram API, while silently harvesting sensitive data.

Given that the malware itself is not region-specific and lacks any geofencing logic to limit its execution to Vietnamese systems, it’s suspected that the attackers simply capitalized on the Telegram ban in the country to distribute counterfeit libraries under the guise of a proxy.

“This campaign illustrates how quickly threat actors can exploit geopolitical events to launch targeted supply chain attacks,” Boychenko said. “By weaponizing a widely used development tool like Fastlane and disguising credential-stealing functionality behind a timely ‘proxy’ feature, the threat actor leveraged trust in package ecosystems to infiltrate CI/CD environments.”

Socket said it also discovered an npm package named “xlsx-to-json-lh” that typosquats the legitimate conversion tool “xlsx-to-json-lc” and detonates a malicious payload when an unsuspecting developer imports the package. First published in February 2019, it has since been taken down.

“This package contains a hidden payload that establishes a persistent connection to a command-and-control (C2) server,” security researcher Kush Pandya said. “When triggered, it can delete entire project directories without warning or recovery options.”

Specifically, the destruction actions are unleashed once the French command “remise à zéro” (meaning “reset”) is issued by the C2 server, causing the package to delete source code files, version control data, configuration files, node_modules (including itself), and all project assets.

Another set of malicious npm packages – pancake_uniswap_validators_utils_snipe, pancakeswap-oracle-prediction, ethereum-smart-contract, and env-process – have been found to steal anywhere between 80 to 85% of the funds present in a victim’s Ethereum or BSC wallet using obfuscated JavaScript code and transfer them to an attacker-controlled wallet.

The packages, uploaded by a user named @crypto-exploit, have attracted over 2,100 downloads, with “pancake_uniswap_validators_utils_snipe” published four years ago. They are currently no longer available for download.

Similar cryptocurrency-themed malicious packages discovered on PyPI have incorporated covert functionality to steal Solana private keys, source code, and other sensitive data from compromised systems. It’s worth noting that while “semantic-types” was benign when it was first uploaded on December 22, 2024, the malicious payload was introduced as an update on January 26, 2025.

One collection of PyPI packages is designed to “monkey patch” Solana key-generation methods by modifying relevant functions at runtime without making any changes to the original source code.

The threat actor behind the Python packages, who used the alias cappership to publish them to the repository, is said to have used polished README files and linked them to GitHub repositories in an attempt to lend credibility and trick users into downloading them.

“Each time a keypair is generated, the malware captures the private key,” Boychenko said. “It then encrypts the key using a hardcoded RSA‑2048 public key and encodes the result in Base64. The encrypted key is embedded in a spl.memo transaction and sent to Solana Devnet, where the threat actor can retrieve and decrypt it to gain full access to the stolen wallet.”

The second batch of 11 Python packages to target the Solana ecosystem, according to Vancouver-based Safety, were uploaded to PyPI between May 4 and 24, 2025. The packages are designed to steal Python script files from the developer’s system and transmit them to an external server. One of the identified packages, “solana-live,” has also been found to target Jupyter Notebooks for exfiltration while claiming to be a “price fetching library.”

In a sign that typosquatting continues to be a significant attack vector, Checkmarx flagged six malicious PyPI packages that impersonate colorama, a widely-used Python package for colorizing terminal output, and colorizr, a color conversion JavaScript library available on npm.

“The tactic of using the name from one ecosystem (npm) to attack users of a different ecosystem (PyPI) is unusual,” the company said. “Payloads allow persistent remote access to and remote control of desktops and servers, as well as harvesting and exfiltrating sensitive data.”

What’s notable about the campaign is that it targets users of both Windows and Linux systems, allowing the malware to establish a connection with a C2 server, exfiltrate sensitive environment variables and configuration information, and take steps to evade endpoint security controls.

That said, it’s currently not known if the Linux and Windows payloads are the work of the same attacker, raising the possibility that they may be separate campaigns abusing a similar typosquatting tactic.

Malicious actors are also wasting no time seizing the growing popularity of artificial intelligence (AI) tools to poison the software supply chain with PyPI packages like aliyun-ai-labs-snippets-sdk, ai-labs-snippets-sdk, and aliyun-ai-labs-sdk that purport to be a Python software development kit (SDK) for interacting with Aliyun AI Labs services.

The malicious packages were published to PyPI on May 19, 2024, and were available for download for less than 24 hours. However, the three packages were collectively downloaded more than 1,700 times before they were pulled from the registry.

“Once installed, the malicious package delivers an infostealer payload hidden inside a PyTorch model loaded from the initialization script,” ReversingLabs researcher Karlo Zanki said. “The malicious payload exfiltrates basic information about the infected machine and the content of the .gitconfig file.”

The malicious code embedded within the model is equipped to gather details about the logged user, the network address of the infected machine, the name of the organization the machine belongs to, and the content of the .gitconfig file.

Interestingly, the organization name is retrieved by reading the “_utmc_lui_” preference key from the configuration of the AliMeeting online meeting application, a videoconferencing application that’s popular in China. This suggests that the likely targets of the campaign are developers located in China.

What’s more, the attack serves to highlight the growing threat posed by the misuse of machine learning model formats like Pickle, which is susceptible to arbitrary code execution during deserialization.

“Threat actors are always trying to find new ways to hide the malicious payloads from security tools — and security analysts,” Zanki said. “This time, they were using ML models, a novel approach for distribution of malware via the PyPI platform. This is a clever approach, since security tools are only starting to implement support for the detection of malicious functionality inside ML models.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.