Explosive PyPI Malware Attack: 14,000+ Downloads to Steal and Hijack Cloud Tokens

Recently, a big security issue has been the talk of the tech community. The problem?

Attackers uploaded a few harmful packages to the Python Package Index (PyPI), a popular software repository created for Python developers to share their code. But these packages didn’t serve as regular tools for developers. Instead, they are traps designed to steal something important: ”cloud tokens.” Cloud tokens provide access to cloud services like AWS, Alibaba Cloud, and Tencent Cloud.

In this case, developers downloaded the harmful packages over 14,100 times before security experts noticed and removed them. This is an eye-opener for everyone in the coding world, which shows even trusted places like PyPI can be misused. And using third-party libraries can also bring hidden risks.

This incident is not to mention the flaw in security. It’s a clear warning that developers need to be careful and always check where their code is coming from. Let’s get to know more in detail.

How the Attack Worked

The malicious packages were divided into two main types:

1. Cloud Client Libraries: These packages, with names like acloud-client, enumer-iam, and tcloud-python-test, pretended to be real tools for working with cloud services. When users downloaded them, the attackers used the packages to steal cloud access tokens without the user’s knowledge. One of these packages, acloud-client, was downloaded 5,496 times.
2. Time-Related Utilities: Packages like snapshot-photo, time-check-server, and time-server-test looked like helpful tools for checking the time, but they actually contained code that stole cloud credentials when installed. Users downloaded these fake tools 3,338 times.

This attack has raised concerns about the safety of the open-source ecosystem, as PyPI (a popular place for downloading code) has become a target for hackers trying to trick developers.

The Scope of the Breach

The harmful packages weren’t just random or small threats. Attackers created them to steal sensitive information that could allow them to take control of cloud services. By stealing cloud access tokens, attackers access private data, change cloud systems, and even carry out harmful actions.

This attack is part of a growing problem where malicious packages target PyPI. Since so many people use PyPI and have many libraries, it has become a main target for hackers.

Previous Incidents on PyPI

This isn’t the first time PyPI has been targeted. In July 2024, researchers found a package called zlibxjson, which attackers designed to steal user data, like Discord tokens, browser cookies, and saved passwords. This attack, like the recent one, shows how hackers are finding ways to misuse open-source software.

Such attacks are happening more often as hackers look for easier ways to take advantage of the trust within the open-source community. Since many developers use third-party libraries to save time, they should stay cautious when using unverified or untrustworthy code.

How Developers Can Protect Themselves

To prevent falling victim to malicious packages, developers should adopt the following security practices:

1. Check Packages Carefully: Before downloading and using a package, always make sure it’s from a trusted source. Look at the package’s instructions, check when it was last updated, and watch out for any signs that it might be harmful, like bad reviews or no updates. Trusted packages usually have lots of users and regular updates.
2. Watch for Unusual Activity: Developers should keep an eye on any strange activity in their network. If a package is sending or receiving unexpected information, it could mean something is wrong.
3. Use Security Tools: Use tools that scan your software for any security problems or harmful code. These tools help make the process of checking your software easier and faster.
4. Stay Updated: Keep checking for security updates and warnings on PyPI and other places where you get packages. Knowing about new risks will help you act quickly if a problem comes up.
5. Limit Permissions: Developers should give only the necessary permissions to their cloud systems. Limiting access to only what is needed can help reduce the damage if a hacker gets into the system.

Conclusion

While PyPI is an invaluable resource for developers, this recent incident reminds us all that we can’t take open-source security for granted. Always check package signatures and hashes before installing anything new. When you’re building something that thousands of other developers might use, security can’t be an afterthought. Make sure to verify what you’re pulling into your projects.

Keep following Cyber News Live for more stories spotlighting the people driving the future of cybersecurity.

This piece was written by Subashini Abishek. Want to join us as a freelance journalist, contributor, or weekend wordsmith? Reach out at contact@cybernewslive.com. We’d love to hear from you.