Malicious actors have taken advantage of the increasing popularity of DeepSeek AI to spread two harmful infostealer packages through the Python Package Index (PyPI) by posing as legitimate developer tools for the AI platform.
Positive Technologies researchers uncovered and reported the scheme, which aimed at developers, machine learning engineers, and AI enthusiasts who were incorporating DeepSeek AI into their systems.
The malicious campaign was intercepted and resolved by the Supply Chain Security team at the Threat Intelligence department of the Positive Technologies Expert Security Center (PT ESC). With PyPI serving as the default package repository for widely used package managers like pip, pipenv, and poetry, it became a prime target for supply chain attacks.
On January 29, 2025, an account named bvk, which had been created in June 2023 with no prior activity, uploaded two deceptive packages: deepseeek and deepseekai. These packages were crafted to extract sensitive user and system data, such as API keys, database credentials, and infrastructure access tokens.
The malefactors’ payload within the packages collected and sent user and system data when users executed the respective package commands in the command-line interface. Specifically, they targeted environment variables where crucial application credentials and access tokens are often stored.
The stolen data was transmitted to a command-and-control (C2) server hosted on Pipedream, a developer integration platform. It was noted by researchers that the script contained comments suggestive of AI-generated assistance, indicating the likely use of an AI assistant in developing the malware.
Despite the prompt response by security researchers, the malicious packages were downloaded multiple times before being removed. According to Positive Technologies:
– 36 downloads were executed using the pip package manager and the Bandersnatch mirroring tool.
– 186 downloads were carried out via browser requests, the requests library, and other tools.
PyPI administrators were promptly informed, and the compromised packages were eliminated. Nevertheless, this incident underscored the escalating threat of supply chain attacks within the open-source ecosystem.
Jason Soroko, a senior fellow at Sectigo, pointed out that the report from the researchers elucidated a threat where bad actors injected info stealer malware into the PyPI repository by disguising it as DeepSeek. Soroko emphasized the exploitation of trusted naming conventions and the reliance of the open-source ecosystem on authentic package sources, highlighting a growing risk in software supply chains.
In light of this attack, Mike McGuire, Senior Security Solutions Manager at Black Duck, stressed the need for developers to exercise caution with the packages they download. He highlighted the importance of thorough scrutiny and verification of packages before installation, as well as the use of tools for auditing dependencies to identify and eliminate potentially malicious packages.
In conclusion, incidents like this emphasize the necessity for developers to implement better security practices when utilizing third-party packages from repositories like PyPI. It is crucial to verify package authenticity, audit dependencies, monitor environment variables, and implement supply chain security tools to detect anomalies in installed packages. By following these mitigation strategies, developers can protect themselves against similar supply chain attacks in the future.