Cybersecurity experts have identified a malicious campaign targeting users of the Python Package Index (PyPI) repository. This campaign involves fraudulent libraries that pose as “time” utility tools but secretly steal sensitive data, including cloud access tokens.
The software supply chain security firm ReversingLabs uncovered 20 such packages, which collectively amassed over 14,100 downloads before their removal. The affected packages include:
snapshot-photo (2,448 downloads)
time-check-server (316 downloads)
time-check-server-get (178 downloads)
time-server-analysis (144 downloads)
time-server-analyzer (74 downloads)
time-server-test (155 downloads)
time-service-checker (151 downloads)
aclient-sdk (120 downloads)
acloud-client (5,496 downloads)
acloud-clients (198 downloads)
acloud-client-uses (294 downloads)
alicloud-client (622 downloads)
alicloud-client-sdk (206 downloads)
amzclients-sdk (100 downloads)
awscloud-clients-core (206 downloads)
credential-python-sdk (1,155 downloads)
enumer-iam (1,254 downloads)
tclients-sdk (173 downloads)
tcloud-python-sdks (98 downloads)
tcloud-python-test (793 downloads)
How the Malicious Packages Operated
The campaign was divided into two groups:
Data Uploading Packages – These were specifically designed to transmit stolen data to the attackers’ infrastructure.
Cloud Client Packages – These mimicked cloud service utilities for platforms like Alibaba Cloud, Amazon Web Services (AWS), and Tencent Cloud while secretly extracting sensitive cloud credentials.
Further analysis revealed that some of these packages, such as acloud-client, enumer-iam, and tcloud-python-test, were listed as dependencies in a relatively well-known GitHub project named accesskey_tools. This project has been forked 42 times and starred 519 times on GitHub.
Records indicate that tcloud-python-test was first referenced in a GitHub commit on November 8, 2023, suggesting its availability on PyPI since that date. According to pepy.tech, this package has been downloaded 793 times so far.
The Growing Threat of Malicious Packages
This discovery follows a recent report from Fortinet FortiGuard Labs, which identified thousands of suspicious packages across PyPI and npm. Some of these packages contained hidden installation scripts that executed malicious code or established connections with external servers during installation.
According to cybersecurity researcher Jenna Wang, 974 of these packages contained suspicious URLs that facilitated:
Data theft and exfiltration
Further malware downloads
Establishing communication with external control servers
Wang emphasized the importance of carefully reviewing external URLs within package dependencies to prevent security breaches and cyber exploitation.
Final Thoughts
The rapid increase in malicious software targeting developers highlights the importance of thorough package vetting. Developers and organizations using open-source repositories like PyPI and npm should exercise extreme caution when selecting third-party libraries to avoid potential security risks.
All identified malicious packages have since been removed from PyPI, but users should remain vigilant and monitor dependencies for any suspicious activity.
