As detailed in The Hacker News, cybersecurity researchers from Aikido have identified two malicious packages within the Python Package Index (PyPI) repository. These packages, named spellcheckerpy and spellcheckpy, were disguised as legitimate spell-checking tools but contained hidden functionality to deploy a remote access trojan (RAT). Although now removed, they were downloaded over 1,000 times.The malicious code was concealed within a Basque language dictionary file, disguised as a compressed archive. Upon extraction using a specific function, a Base64-encoded payload was retrieved. Initially, the first three versions of the package only downloaded the payload without executing it. However, version 1.2.0, released on January 21, 2026, activated the payload, which acted as a downloader for a Python-based RAT hosted on updatenet[.]work. This domain is linked to an IP address managed by a hosting provider known to serve malicious actors. This attack mirrors a similar incident in November 2025 involving another fake spell-checking package.This discovery highlights the persistent threat of supply chain attacks within software repositories like PyPI and npm. The use of seemingly innocuous files and obfuscated execution triggers demonstrates evolving tactics by threat actors.Source: The Hacker News
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
Related Terms
AdwareYou can skip this ad in 5 seconds




