Cybersecurity researchers have uncovered a sophisticated supply-chain attack targeting Python developers through a malicious package distributed via the Python Package Index (PyPI).
The malicious package, named “spellcheckers,” contains a multi-layered encrypted backdoor designed to steal cryptocurrency information and establish remote access to victims’ computers.
The command-and-control (C2) infrastructure used in this attack has been linked to previous social engineering campaigns where threat actors impersonated recruiters to target cryptocurrency users.
These “fake recruiter” attacks have become increasingly prevalent throughout 2025, with attackers primarily focusing on stealing sensitive cryptocurrency wallet information and credentials.
By expanding their operations to the PyPI repository, the attackers have significantly broadened their potential victim base, targeting developers who unknowingly install the compromised package.
The malicious package mimics the legitimate “pyspellchecker” library, which has accumulated over 18 million downloads.
Since its deployment, the fake “spellcheckers” package has already been downloaded more than 950 times, potentially compromising hundreds of developer systems and environments.
Multi-Stage Attack Mechanism
The attack unfolds through a carefully orchestrated three-stage process designed to evade detection and establish persistent remote access.
In the first stage, the malicious code executes through a Base64-encoded hidden index file named “ma_IN.index.”
When users install and import the package, the code in spellcheckers/detect.py triggers the run_index method, which reads the encoded payload from the index file, decodes it using Base64, and executes it using Python’s exec() function.
The decoded first-stage payload immediately establishes contact with the attacker’s C2 server located at dothebest. store.
It retrieves additional malicious code from the endpoint “inform.php” and executes it in a detached subprocess, ensuring the backdoor operates independently without alerting the user through visible console windows or error messages.
The second stage involves downloading another Base64-encoded script from the C2 server that implements a fully functional remote access trojan (RAT).
This sophisticated backdoor establishes a persistent connection to the C2 server through the “refresh.php” endpoint and continuously polls for commands from the attackers.
Advanced Evasion Techniques
The malware employs several sophisticated techniques to avoid detection by security tools and analysts.
The payload uses custom XOR encryption with a 16-byte key to obfuscate network communications between the infected system and the C2 server.
The backdoor continuously polls the C2 server and executes Python code received through command ID 1001, granting attackers complete remote control over the infected system with the ability to execute arbitrary Python commands.
All data transmitted to the attacker is encrypted using this XOR cipher before being Base64-encoded, making network traffic analysis significantly more challenging.
The backdoor implements a custom protocol format that includes command identifiers and data length fields, with an additional layer of encryption using a simple XOR operation with the key value 123.
This dual-layer encryption approach ensures that even if security researchers intercept the network traffic, decrypting the malicious commands remains difficult.
Exception suppression is implemented throughout the code, with try-except blocks that catch and silently ignore all errors.
This prevents security monitoring tools from detecting unusual behavior or logging suspicious activities that might alert system administrators.
Once fully deployed, the RAT collects system information including the operating system version, computer name, and a randomly generated 12-character object identifier.
This information is transmitted to the C2 server in encrypted form, allowing attackers to catalog compromised systems.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.