Malware, Supply chain

Malicious Python packages deliver RAT via PyPI

Homepage of Python website on the display of PC

As detailed in The Hacker News, cybersecurity researchers from Aikido have identified two malicious packages within the Python Package Index (PyPI) repository. These packages, named spellcheckerpy and spellcheckpy, were disguised as legitimate spell-checking tools but contained hidden functionality to deploy a remote access trojan (RAT). Although now removed, they were downloaded over 1,000 times.

The malicious code was concealed within a Basque language dictionary file, disguised as a compressed archive. Upon extraction using a specific function, a Base64-encoded payload was retrieved. Initially, the first three versions of the package only downloaded the payload without executing it. However, version 1.2.0, released on January 21, 2026, activated the payload, which acted as a downloader for a Python-based RAT hosted on updatenet[.]work. This domain is linked to an IP address managed by a hosting provider known to serve malicious actors. This attack mirrors a similar incident in November 2025 involving another fake spell-checking package.

This discovery highlights the persistent threat of supply chain attacks within software repositories like PyPI and npm. The use of seemingly innocuous files and obfuscated execution triggers demonstrates evolving tactics by threat actors.

Source: The Hacker News

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Adware

You can skip this ad in 5 seconds