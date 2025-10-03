More than 2,600 systems have already been breached with the nefarious soopsocks package on the Python Package Index repository , which purports to enable SOCKS5 proxy service creation but actually performs as a Windows backdoor proxy server, before its removal from the repository, The Hacker News reports.

JFrog researchers discovered that soopsocks has been using a Go-based executable or VBScript to facilitate compromise, with the former enabling PowerShell script execution, firewall rule setting, and system and network reconnaissance.

On the other hand, the VBScript also allowed PowerShell execution to escalate privileges and ensure persistence upon reboot. The soopsocks package "is a well-designed SOCKS5 proxy with full bootstrap Windows support.

However, given the way it performs and actions it takes during runtime, it shows signs of malicious activity," researchers said.

Such findings come after GitHub announced the revocation of legacy tokens for npm publishers, while setting a seven-day expiry for granular access tokens for npm in a bid to curb supply chain attack risk.