Multiple Malicious Packages Discovered on PyPI, npm, and RubyGems
Evidence of broad and sustained attacks using several npm, Python, and Ruby packages continues to emerge. A series of malicious packages have been added to the npm, PyPI, and RubyGems package repositories. The attacks have been ongoing for some time, with some seeded years ago. Their aims are manifold, including stealing funds from crypto wallets, deleting codebases, and obtaining Telegram messaging data. Most affected packages are from PyPI, with over thirty packages affected across the three repositories.
No Evidence of Cloudsmith Customers Being Affected
The attacks have different goals, but are mainly introduced through typosquatting - the publication of a bogus package with a similar name to the legitimate package, intending to mislead developers into using the fake. For example, the malicious xlsc-to-json-lh is a typosquat of xlsc-to-json-lc.
Another tactic we see in these attacks, similar to typosquatting, is brandjacking or name-squatting, where an attacker uses a brand or utility name to make the package appear as a bona fide tool for use in the same functional domain. For example, solana-charts uses the Solana name to masquerade as a legitimate package for working with the Solana cryptocurrency.
We have no evidence that any customer has been affected. For customers that follow Cloudsmith’s recommended setups, none appear to be impacted. If we find that a customer has been compromised, we’ll get in touch immediately.
Npm Packages
BSC and Ethereum
Five malicious packages have been identified for npm. Four target the blockchain platforms BSC and Ethereum: pancake_uniswap_validators_utils_snipe, pancakeswap-oracle-prediction, Ethereum, and env-process.
Both platforms let developers build apps using smart contracts, which are self-executing code that runs when certain conditions are met, enabling automatic payments or trades. Together, the packages have received over 2000 downloads.
This attack was seeded 4 years ago when the packages were first uploaded. They operate by stealth, stealing a percentage of a transaction by diverting money away from the target wallet to the attacker’s wallet.
Excel to JSON Converter
The fifth package is xlsc-to-json-lh. This is a one-letter difference typosquat on the legitimate xlsx-to-json-lc, an Excel to JSON converter with over 1500 weekly downloads. The malicious package can delete entire project directories without warning or recovery options.
PyPI Packages
Solana Cryptocurrency
Over 25 malicious Python packages have been identified. Many of these target the Solana cryptocurrency ecosystem. Eleven were published by the same threat actor and split across four payloads in May 2025: solana-test, solana-token, solana-charts, solana-test-suite, solana-data, solana-coin, dexscreener-charts, dexscreener-data, solana-trade, sol-prices, solana-live. The attacks aim to steal cryptocurrency, source code, and other sensitive data.
In a related attack on Solana, a threat actor known as “cappership” added covert malware to the previously benign package semantic-types. The malware was designed to steal keys from Solana wallets during software development and through automated build processes.
The attack introduced four additional PyPI packages: solana-keypair, solana-publickey, solana-trading-bot, and soltrade, which have an indirect dependency on semantic-types. This dependency means that semantic-types is added during the installation of the packages. Hiding a malicious payload behind a few layers of dependencies is a common attack technique in supply chain compromises.
The attack vector exploits Python’s dynamic features using a monkey patch, where functions are modified at runtime but the original source code is unchanged. The actor backed up their attack with convincing-looking documentation to gain trust, linking to authentic material on Stack Overflow, GitHub repos, and Solana docs. This highlights the tactics attackers are using to fake authenticity.
See Wikipedia's Monkey patch page for more details.
Colorama and Colorizr
Another typosquatting attack targeted the popular Colorama package, which is used for colorizing terminal output. In a twist to a regular typosquat, the actor also uploaded malicious Python libraries resembling an npm JavaScript package: colorize. A cross-domain attack like this is unusual and demonstrates how attackers are becoming more inventive.
For the Colorama typosquat, the following packages were flagged: coloramapkgsw, coloramapkgsdow, coloramashowtemp, coloramapkgs, and readmecolorama. The bogus Python libraries based on colorizr were colorizator and coloraiz.
The packages contained toxic payloads that allowed remote access, remote machine control, and access to sensitive data. On Windows, they attempt to avoid detection by bypassing endpoint protection, such as antivirus software.
Alibaba AI Services
Recently, three malicious packages surfaced that offered a Python SDK for Alibaba’s AI services. Alibaba provides a range of products in the AI domain that cover LLMs, computer vision, natural language processing, and AI-driven applications across multiple industries. The three bogus packages were: aliyun-ai-labs-snippets-sdk, ai-labs-snippets-sdk, and aliyun-ai-labs-sdk.
None of the packages contained functional code related to AI; they were just malware used to extract sensitive information. The attackers used toxic payloads in PyTorch models, encoded as zipped Pickle files. Pickle has a vulnerability: It allows serialized Python objects to execute arbitrary code, giving attackers a way of bypassing standard security controls.
Ruby Gems
In the Ruby ecosystem, two malicious gems were published designed to exfiltrate all data sent to the API for the popular messaging service Telegram. The gems, fastlane-plugin-telegram-proxy and fastlane-plugin-proxy_teleram, are typosquats on the Fastlane open-source plugin, an automation tool for mobile app developers. Fastlane can be used for code signing, compiling, app store uploads, notifications, and managing metadata.
The malicious gems were almost identical to the legitimate plugin, with one crucial difference. The API endpoint had been switched to the attacker’s endpoint, intercepting sensitive data. Stealing API data gives the attackers access to authentication tokens, messages, uploaded files, and credentials.
Blocking Attacks in Cloudsmith
Cloudsmith offers a strong line of defense against malicious packages with our policy management tools, including Enterprise Policy Management (EPM). All you need is identifying information, such as name or version, to build a policy that quarantines packages before they have a chance to infect your software supply chain.
In a previous post, we demonstrate how easy it is to block packages based on version numbers. If you know the package names, you can easily put together a policy, for example:
package cloudsmith
# Malicious packages
malicious_packages := {
"colorizator",
"coloraiz",
"coloramapkgsdow",
"coloramashowtemp",
"coloramapkgs",
"readmecolorama"
}
default match = false
# Check against malicious pypi packages
match if {
input.v0["package"].format == "python"
input.v0["package"].name in malicious_packages
}
Packages matching the policy can be tagged or quarantined, allowing you to control the identification and use of one of these vulnerable packages.
Check out our short tutorial on how to block pages based on multiple conditions.
To find out more about policies and security in Cloudsmith, book a demo.
Liked this article? Don\'t be selfish (:-), share with others: Tweet