Skip links

Over 170K users hit by poisoned Python package ruse

More than 170,000 users have been affected by an attack using fake Python infrastructure with “successful exploitation of multiple victims.”

According to CheckMarx, the attack targeted the GitHub organization, as well as other developers. The attacker hinged on various supply chain attack techniques to distribute malware-infected Python PyPI packages.

The malware stole data from browsers, Discord (the chat app of choice for members), crypto wallets, and files that matched certain keywords. As of now, it’s not clear where this data was sent.

There were multiple prongs to the remarkably complicated attack – clones of popular Python packages such as Colorama, a doppelganger or typosquatted domain for Python packages. Also reported are account break-ins across trusted GitHub community members. All of these tactics were used to successfully steal user data from an undetermined number of developers.

The malicious Python packages were uploaded in November 2022, but the attack didn’t start in earnest until last February when the doppelganger domain was registered. The official PyPI domain is, though the similar pypihosted domain (now taken down by Cloudflare) was open and the attacker registered it. The attacker made sure that real URL and the fake URL strings looked nearly identical. In fact, the only difference between the two was the domain name, pythonhosted versus pypihosted.

The fake Python package website hosted the popular tool Colorama with some malware added on. The code is actually just a short line that’s been appended to the second line but with tons of spaces so that it would be invisible without scrolling to the right. This extra code installs the actual malware, which is obfuscated even further to hide its true purpose. The malware also survives reboots.

The next step was to replace instances of the genuine PyPI domain with the doppelganger URL on GitHub. Pip, the package manager for Python, allows coders to choose a specific URL for grabbing dependencies, which is what made doing this possible.

Of course, not just anyone can make a commit to a big GitHub project like, which is why the attacker broke into multiple GitHub accounts, such as editor-syntax, one of’s maintainers. It’s unclear how editor-syntax’s account was compromised, but it could have been through stolen cookies, which would have allowed the attacker to gain access without needing the password.

Via their GitHub account, the attacker made a commit to that ostensibly changed one thing, but also inserted the fake Colorama package in between several real URLs, making it stand out less. In repos maintained by other compromised accounts, the attacker made commits where several packages hosted on the real website were added along with the fake Colorama package. This also helped to conceal the existence of the doppelganger URL because it’s easy to overlook a single domain name change among several lines of altered code.

On March 3, users realized that the GitHub repo was compromised and informed editor-syntax that he had made the commit that added the doppelganger URL. He first said “I haven’t even contributed to that repository” but once a user showed him he his account definitely did it, he replied “bro what.”

It’s impossible to know how many users exactly may have been affected, but the fact that the malware made its way into the GitHub repository of a 170,000-strong Discord server suggests it could have been at least thousands or even tens of thousands.

Developers have been making efforts for years to ensure the integrity of open source package managers like PyPI, but it’s certainly difficult to defend against attacks that utilize as many vectors as this one. ®