Python | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have uncovered a new campaign in which the threat actors have published more than 67 GitHub repositories that claim to offer Python-based hacking tools, but deliver trojanized payloads instead. The activity, codenamed Banana Squad by ReversingLabs, is assessed to be a continuation of a rogue Python campaign that was identified in 2023 as targeting the Python Package Index (PyPI) repository with bogus packages that were downloaded over 75,000 times and came with information-stealing capabilities on Windows systems. The findings build on a previous report from the SANS's Internet Storm Center in November 2024 that detailed a supposed "steam-account-checker" tool hosted on GitHub, which incorporated stealthy features to download additional Python payloads that can inject malicious code into the Exodus cryptocurrency wallet app and harvest sensitive data to an external server ("dieserbenni[.]ru"). Further analysis of the repository a...

A new campaign is making use of Cloudflare Tunnel subdomains to host malicious payloads and deliver them via malicious attachments embedded in phishing emails. The ongoing campaign has been codenamed SERPENTINE#CLOUD by Securonix. It leverages "the Cloudflare Tunnel infrastructure and Python-based loaders to deliver memory-injected payloads through a chain of shortcut files and obfuscated scripts," security researcher Tim Peck said in a report shared with The Hacker News. The attack starts with sending payment- or invoice-themed phishing emails bearing a link to a zipped document that contains a Windows shortcut (LNK) file. These shortcuts are disguised as documents to trick victims into opening them, effectively activating the infection sequence. The elaborate multi-step process culminates in the execution of a Python-based shellcode loader that executes payloads packed with the open-source Donut loader entirely in memory. Securonix said the campaign has targeted the...

Cybersecurity researchers have called attention to a new campaign that's actively exploiting a recently disclosed critical security flaw in Langflow to deliver the Flodrix botnet malware. "Attackers use the vulnerability to execute downloader scripts on compromised Langflow servers, which in turn fetch and install the Flodrix malware," Trend Micro researchers Aliakbar Zahravi, Ahmed Mohamed Ibrahim, Sunil Bharti, and Shubham Singh said in a technical report published today. The activity entails the exploitation of CVE-2025-3248 (CVSS score: 9.8), a missing authentication vulnerability in Langflow , a Python-based "visual framework" for building artificial intelligence (AI) applications. Successful exploitation of the flaw could enable unauthenticated attackers to execute arbitrary code via crafted HTTP requests. It was patched by Langflow in March 2025 with version 1.3.0. Last month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagg...

Cybersecurity researchers from  SafeDep and Veracode detailed a number of malware-laced npm packages that are designed to execute remote code and download additional payloads. The packages in question are listed below - eslint-config-airbnb-compat (676 Downloads) ts-runtime-compat-check (1,588 Downloads) solders (983 Downloads) @mediawave/lib (386 Downloads) All the identified npm packages have since been taken down from npm, but not before they were downloaded hundreds of times from the package registry.  SafeDep's analysis of eslint-config-airbnb-compat found that the JavaScript library has ts-runtime-compat-check listed as a dependency, which, in turn, contacts an external server defined in the former package ("proxy.eslint-proxy[.]site") to retrieve and execute a Base64-encoded string. The exact nature of the payload is unknown. "It implements a multi-stage remote code execution attack using a transitive dependency to hide the malicious code,"...

A financially motivated threat actor has been observed exploiting a recently disclosed remote code execution flaw affecting the Craft Content Management System (CMS) to deploy multiple payloads, including a cryptocurrency miner, a loader dubbed Mimo Loader, and residential proxyware. The vulnerability in question is CVE-2025-32432 , a maximum severity flaw in Craft CMS that was patched in versions 3.9.15, 4.14.15, and 5.6.17. The existence of the security defect was first disclosed in April 2025 by Orange Cyberdefense SensePost after it was observed in attacks earlier this February. According to a new report published by Sekoia, the threat actors behind the campaign weaponized CVE-2025-32432 to obtain unauthorized access to the target systems and then deploy a web shell to enable persistent remote access. The web shell is then used to download and execute a shell script ("4l4md4r.sh") from a remote server using curl, wget, or the Python library urllib2. "Regarding ...

Cybersecurity researchers have uncovered malicious packages uploaded to the Python Package Index (PyPI) repository that act as checker tools to validate stolen email addresses against TikTok and Instagram APIs. All three packages are no longer available on PyPI. The names of the Python packages are below - checker-SaGaF (2,605 downloads) steinlurks (1,049 downloads) sinnercore (3,300 downloads) "True to its name, checker-SaGaF checks if an email is associated with a TikTok account and an Instagram account," Socket researcher Olivia Brown said in an analysis published last week. Specifically, the package is designed to send HTTP POST requests to TikTok's password recovery API and Instagram's account login endpoints to determine if an email address passed as input is valid, meaning there exists an account holder corresponding to that email address. "Once threat actors have this information, just from an email address, they can threaten to dox or spam, c...

Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) repository that purports to be an application related to the Solana blockchain, but contains malicious functionality to steal source code and developer secrets. The package, named solana-token, is no longer available for download from PyPI, but not before it was downloaded 761 times . It was first published to PyPI in early April 2024, albeit with an entirely different version numbering scheme. "When installed, the malicious package attempts to exfiltrate source code and developer secrets from the developer's machine to a hard-coded IP address," ReversingLabs researcher Karlo Zanki said in a report shared with The Hacker News. In particular, the package is designed to copy and exfiltrate the source code contained in all the files in the Python execution stack under the guise of a blockchain function named "register_node()." This unusual behavior suggests that...

Threat actors have been observed leveraging fake artificial intelligence (AI)-powered tools as a lure to entice users into downloading an information stealer malware dubbed Noodlophile . "Instead of relying on traditional phishing or cracked software sites, they build convincing AI-themed platforms – often advertised via legitimate-looking Facebook groups and viral social media campaigns," Morphisec researcher Shmuel Uzan said in a report published last week. Posts shared on these pages have been found to attract over 62,000 views on a single post, indicating that users looking for AI tools for video and image editing are the target of this campaign. Some of the fake social media pages identified include Luma Dreammachine Al, Luma Dreammachine, and gratistuslibros. Users who land on the social media posts are urged to click on links that advertise AI-powered content creation services, including videos, logos, images, and even websites. One of the bogus websites masquerad...

Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) repository that masquerades as a seemingly harmless Discord-related utility but incorporates a remote access trojan. The package in question is discordpydebug , which was uploaded to PyPI on March 21, 2022. It has been downloaded 11,574 times and continues to be available on the open-source registry. Interestingly, the package has not received any update since then. "At first glance, it appeared to be a simple utility aimed at developers working on Discord bots using the Discord.py library," the Socket Research Team said . "However, the package concealed a fully functional remote access trojan (RAT)." The package, once installed, contacts an external server ("backstabprotection.jamesx123.repl[.]co"), and includes features to read and write arbitrary files based on commands, readfile or writefile, received from the server. The RAT also supports the ability...

Cybersecurity researchers have detailed a malware campaign that's targeting Docker environments with a previously undocumented technique to mine cryptocurrency. The activity cluster, per Darktrace and Cado Security , represents a shift from other cryptojacking campaigns that directly deploy miners like XMRig to illicitly profit off the compute resources. This involves deploying a malware strain that connects to a nascent Web3 service called Teneo, a decentralized physical infrastructure network (DePIN) that allows users to monetize public social media data by running a Community Node in exchange for rewards called Teneo Points , which can be converted into $TENEO Tokens. The node essentially functions as a distributed social media scraper to extract posts from Facebook, X, Reddit, and TikTok. An analysis of artifacts gathered from Darktrace's honeypots has revealed that the attack starts with a request to launch a container image " kazutod/tene:ten " from the ...

Cybersecurity researchers have disclosed a malicious package uploaded to the Python Package Index (PyPI) repository that's designed to reroute trading orders placed on the MEXC cryptocurrency exchange to a malicious server and steal tokens. The package, ccxt-mexc-futures, purports to be an extension built on top of a popular Python library named ccxt (short for CryptoCurrency eXchange Trading), which is used to connect and trade with several cryptocurrency exchanges and facilitate payment processing services. The malicious package is no longer available on PyPI, but statistics on pepy.tech shows that it has been downloaded at least 1,065 times . "The authors of the malicious ccxt-mexc-futures package, claim in its README file that it extends the CCXT package to support 'futures' trade on MEXC," JFrog researcher Guy Korolevski said in a report shared with The Hacker News. However, a deeper examination of the library has revealed that it specifically overr...

Cybersecurity researchers have disclosed details of an artificial intelligence (AI) powered platform called AkiraBot that's used to spam website chats, comment sections, and contact forms to promote dubious search engine optimization (SEO) services such as Akira and ServicewrapGO. "AkiraBot has targeted more than 400,000 websites and successfully spammed at least 80,000 websites since September 2024," SentinelOne researchers Alex Delamotte and Jim Walter said in a report shared with The Hacker News. "The bot uses OpenAI to generate custom outreach messages based on the purpose of the website." Targets of the activity include contact forms and chat widgets present in small to medium-sized business websites, with the framework sharing spam content generated using OpenAI's large language models (LLMs). What makes the "sprawling" Python-based tool stand apart is its ability to craft content such that it can bypass spam filters. It's believe...

Cybersecurity researchers have uncovered malicious libraries in the Python Package Index (PyPI) repository that are designed to steal sensitive information and test stolen credit card data. Two of the packages, bitcoinlibdbfix and bitcoinlib-dev, masquerade as fixes for recent issues detected in a legitimate Python module called bitcoinlib, according to ReversingLabs . A third package discovered by Socket, disgrasya, contained a fully automated carding script targeting WooCommerce stores. The packages attracted hundreds of downloads before being taken down, according to statistics from pepy.tech - bitcoinlibdbfix - 1,101 downloads bitcoinlib-dev - 735 downloads disgrasya - 37,217 downloads "The malicious libraries both attempt a similar attack, overwriting the legitimate 'clw cli' command with malicious code that attempts to exfiltrate sensitive database files," ReversingLabs said. In an interesting twist, the authors of the counterfeit libraries are s...

The financially motivated threat actor known as FIN7 has been linked to a Python-based backdoor called Anubis (not to be confused with an Android banking trojan of the same name) that can grant them remote access to compromised Windows systems. "This malware allows attackers to execute remote shell commands and other system operations, giving them full control over an infected machine," Swiss cybersecurity company PRODAFT said in a technical report of the malware. FIN7, also called Carbon Spider, ELBRUS, Gold Niagara, Sangria Tempest, and Savage Ladybug, is a Russian cybercrime group known for its ever-evolving and expanding set of malware families for obtaining initial access and data exfiltration. In recent years, the threat actor is said to have transitioned to a ransomware affiliate. In July 2024, the group was observed using various online aliases to advertise a tool called AuKill (aka AvNeutralizer) that's capable of terminating security tools in a likely ...

Cybersecurity researchers have warned of a malicious campaign targeting users of the Python Package Index (PyPI) repository with bogus libraries masquerading as "time" related utilities, but harboring hidden functionality to steal sensitive data such as cloud access tokens. Software supply chain security firm ReversingLabs said it discovered two sets of packages totaling 20 of them. The packages have been cumulatively downloaded over 14,100 times - snapshot-photo (2,448 downloads) time-check-server (316 downloads) time-check-server-get (178 downloads) time-server-analysis (144 downloads) time-server-analyzer (74 downloads) time-server-test (155 downloads) time-service-checker (151 downloads) aclient-sdk (120 downloads) acloud-client (5,496 downloads) acloud-clients (198 downloads) acloud-client-uses (294 downloads) alicloud-client (622 downloads) alicloud-client-sdk (206 downloads) amzclients-sdk (100 downloads) awscloud-clients-core (206 downloads) creden...

Cybersecurity researchers have discovered a malicious Python package on the Python Package Index (PyPI) repository that's equipped to steal a victim's Ethereum private keys by impersonating popular libraries. The package in question is set-utils , which has received 1,077 downloads to date. It's no longer available for download from the official registry. "Disguised as a simple utility for Python sets, the package mimics widely used libraries like python-utils (712M+ downloads) and utils (23.5M + downloads)," software supply chain security company Socket said . "This deception tricks unsuspecting developers into installing the compromised package, granting attackers unauthorized access to Ethereum wallets." The package aims to target Ethereum developers and organizations working with Python-based blockchain applications, particularly Python-based wallet management libraries like eth-account. Besides embedding the attacker's RSA public key to...

Cybersecurity researchers have flagged a malicious Python library on the Python Package Index (PyPI) repository that facilitates unauthorized music downloads from music streaming service Deezer. The package in question is automslc, which has been downloaded over 104,000 times to date. First published in May 2019, it remains available on PyPI as of writing. "Although automslc, which has been downloaded over 100,000 times, purports to offer music automation and metadata retrieval, it covertly bypasses Deezer's access restrictions by embedding hardcoded credentials and communicating with an external command-and-control (C2) server," Socket security researcher Kirill Boychenko said in a report published today. Specifically, the package is designed to log into the French music streaming platform via user-supplied and hard-coded credentials, gather track-related metadata, and download full audio files in violation of Deezer's API terms. The package also periodicall...

The North Korea-linked Lazarus Group has been linked to an active campaign that leverages fake LinkedIn job offers in the cryptocurrency and travel sectors to deliver malware capable of infecting Windows, macOS, and Linux operating systems. According to cybersecurity company Bitdefender, the scam begins with a message sent on a professional social media network, enticing them with the promise of remote work, part-time flexibility, and good pay. "Once the target expresses interest, the 'hiring process' unfolds, with the scammer requesting a CV or even a personal GitHub repository link," the Romanian firm said in a report shared with The Hacker News. "Although seemingly innocent, these requests can serve nefarious purposes, such as harvesting personal data or lending a veneer of legitimacy to the interaction." Once the requested details are obtained, the attack moves to the next stage where the threat actor, under the guise of a recruiter, shares a lin...

The maintainers of the Python Package Index (PyPI) registry have announced a new feature that allows package developers to archive a project as part of efforts to improve supply chain security . "Maintainers can now archive a project to let users know that the project is not expected to receive any more updates," Facundo Tuesca, senior engineer at Trail of Bits, said . In doing so, the idea is to clearly signal to developers that the Python libraries are no longer being actively maintained and that no future security fixes or product updates should be expected. That said, projects labeled as archived will continue to remain available on PyPI and users can continue to install it without any issues. In a separate blog post detailing the feature, Tuesca said the maintainers are considering additional maintainer-controlled statuses to better communicate a project's status to downstream consumers. PyPI also recommends that package developers release a final version pr...