Skip links

Over 170K users caught up in poisoned Python package ruse

More than 170,000 users are said to have been affected by an attack using fake Python infrastructure with “successful exploitation of multiple victims.”

According to CheckMarx, members of the GitHub organization as well as other developers were targeted, and it all hinged on various supply chain attack techniques to distribute malware-infected Python PyPI packages.

That malware stole data from people’s browsers, Discord (the chat app of choice for members), crypto wallets, and files that matched certain keywords. As of now, it’s not clear where this data was sent.

There were multiple prongs to this remarkably complicated attack: clones of popular Python packages such as Colorama, a doppelganger or typosquatted domain for Python packages, and code obfuscation. Also reported are account break-ins across trusted GitHub community members. All of these tactics were used to successfully steal user data from an undetermined number of developers.

The malicious Python packages were uploaded in November 2022, but the attack didn’t start in earnest until last February when the doppelganger domain was registered. The official PyPI domain is, though the similar pypihosted domain (now taken down by Cloudflare) was available and the attacker registered it. The attacker made sure that real URL and the fake URL strings looked nearly identical. In fact, the only difference between the two was the domain name, pythonhosted versus pypihosted.

The fake Python package website hosted the popular tool Colorama with some malware added on. The code is actually just a short line that’s been appended to the second line but with tons of spaces so that it would be invisible without scrolling to the right. This extra code installs the actual malware, which is obfuscated even further to hide its true purpose. The malware also survives reboots.

The next step was to replace instances of the genuine PyPI domain with the doppelganger URL on GitHub. Pip, the package manager for Python, allows coders to choose a specific URL for grabbing dependencies, which is what made doing this possible.

Of course, not just anyone can make a commit to a big GitHub project like, which is why the attacker broke into multiple GitHub accounts, such as editor-syntax, one of’s maintainers. It’s unclear how editor-syntax’s account was compromised, but it could have been through stolen cookies, which would have allowed the attacker to gain access without needing the password.

Via their GitHub account, the attacker made a commit to that ostensibly changed one thing, but also inserted the fake Colorama package in between several real URLs, making it stand out less. In repos maintained by other compromised accounts, the attacker made commits where several packages hosted on the real website were added along with the fake Colorama package. This also helped to conceal the existence of the doppelganger URL because it’s easy to overlook a single domain name change among several lines of altered code.

On March 3, users realized that the GitHub repo was compromised and informed editor-syntax that he had made the commit that added the doppelganger URL. He first said “I haven’t even contributed to that repository” but once a user showed him he his account definitely did it, he replied “bro what.”

It’s impossible to know how many users exactly may have been affected, but the fact that the malware made its way into the GitHub repository of a 170,000-strong Discord server suggests it could have been at least thousands or even tens of thousands.

Developers have been making efforts for years to ensure the integrity of open source package managers like PyPI, but it’s certainly difficult to defend against attacks that utilize as many vectors as this one. ®