Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecuritySecurity NewswireCybersecurity News

New Research: Multi-Stage Malware Attack on Python Package Index Discovered

By Jordyn Alger, Managing Editor
Laptop

Mike Meyers via Unsplash

June 18, 2025

Researchers at JFrog have discovered that the Python Package Index (PyPI) has a malicious package in its repository. This package is able to harvest developer-related data, such as credentials, configuration information, and environment variables. 

The package (called chimera-sandbox-extensions) has more than 140 downloads and likely targets users of the Chimera Sandbox service. It is presented as a useful helper module for the service, but upon installment, it connects to an external domain and downloads/executes a next-stage payload. 

Below, security leaders discuss the researchers’ findings. 

Security Leaders Weigh In

Mike McGuire, Senior Security Solutions Manager at Black Duck:

This incident underscores the growing sophistication of supply chain attacks, where seemingly trustworthy packages can deliver dangerous malware. Unfortunately, attacks like these are likely to increase in frequency, so teams need to take a layered approach to defending themselves.

Development teams should move towards using curated package registries, like internal repositories, that provide control over which packages are allowed to be used in projects. Security teams can implement policy into these internal repositories to automate governance based on different risk metrics. 

Software composition analysis tools should be implemented to integrate directly into the CI/CD pipelines, scan projects, and detect the open source dependencies being used. This way, a dynamic list of packages can be maintained and continuously evaluated for vulnerabilities and malicious indicators. 

When deciding which open source packages to use, development and security teams should always be watching for red flags indicating potentially malicious components. The most significant red flags should be associated with project reputation. For example, packages with low download counts, no listed maintainers, suspicious README content, or empty documentation should be subjected to additional scrutiny. 

Teams should use lock files to pin dependencies to specific versions and avoid surprise updates. They can go even further by using hash-based verification to ensure that they’re installing the files that they’re expecting. 

Finally, those responsible for security should be reviewing dependencies regularly, and monitoring alerts from feeds like those associated with PyPI, npm, GitHub, and others. Given the scale of open source usage in modern application development, this most likely requires the use of automated tooling.

Fletcher Davis, Senior Security Research Manager at BeyondTrust: 

Within the last five years, attackers have leveraged PyPI and other package managers to exploit developer trust through typosquatting and supply chain attacks. Many recent attacks have compromised packages with millions of weekly downloads, demonstrating the sheer scale of impact. The chimera-sandbox-extensions incident underscores that traditional security approaches are insufficient against modern supply chain threats. Supply chain security requires a proactive, multi-layered approach combining technical controls, process improvements, and continuous monitoring rather than relying solely on reactive measures. 

Security teams must implement rigorous dependency management by locking packages to trusted versions and conducting automated vulnerability scanning. Organizations should verify package integrity, conduct thorough code reviews for new dependencies, and audit development workflows while implementing strict secret management and least-privilege access controls to limit exposure if packages are compromised. Real-time behavioral monitoring is essential to detect unusual API access patterns and authentication anomalies that indicate compromise from sophisticated supply chain attacks targeting corporate cloud infrastructure.

Eric Schwake, Director of Cybersecurity Strategy at Salt Security:

The detection of harmful packages, such as chimera-sandbox extensions, on PyPI highlights the significant and widespread risk posed by software supply chain attacks. The primary threat lies in its ability to collect sensitive developer-related data, including credentials, configuration files, and especially AWS tokens and CI/CD environment variables. This poses a direct risk to corporate and cloud infrastructures, enabling attackers to maliciously access and possibly alter or steal large volumes of data through compromised API credentials.

Security teams must adopt a multi-layered defensive strategy to avert such security breaches. This involves thoroughly checking all third-party and open-source packages before integration, understanding their functions, and applying the principle of least privilege to all development and deployment credentials. Effective API posture governance is crucial to ensure that the potential API access is limited, even if credentials like AWS tokens are compromised. Furthermore, ongoing runtime protection of application and API traffic for unusual behaviors, such as suspicious outbound connections or unauthorized data transfers, is vital to identify and address these advanced supply chain breaches before they result in larger system compromises.

Jason Soroko, Senior Fellow at Sectigo:

Security teams need to put policies and procedures into place to stop the attack at the package boundary. 

Ban direct pip and uv installs from public indexes. There are other repositories out there, so check on the ones you are using.  Mirror approved dependencies in an internal repository and enforce hash pinning in lockfiles. That’s a way to have assurance that you are using legitimate dependencies.  Scan all incoming packages with static and dynamic analysis to detect DGA calls and credential harvesting code observed in chimera sandbox extensions. Automate removal of outdated or unused dependencies.

Contain and limit damage if a malicious dependency lands. Run development workloads in non privileged sandboxes with egress restricted to vetted URLs. Strip secrets from build logs and inject short lived AWS and CI credentials only at runtime. Monitor DNS for algorithmically generated hostnames and block them. Rotate all exposed tokens immediately and audit for lateral movement.

KEYWORDS: malware software supply chain cyber security

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Jordynalger

Jordyn Alger is the managing editor for Security magazine. Alger writes for topics such as physical security and cyber security and publishes online news stories about leaders in the security industry. She is also responsible for multimedia content and social media posts. Alger graduated in 2021 with a BA in English – Specialization in Writing from the University of Michigan. Image courtesy of Alger

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

Half closed laptop

Sudo Vulnerability Discovered, May Exposes Linux Systems

Person holding cellphone

Millions of Android, iPhone Users Could Be Sending Data to China

Events

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Amazon package in door mail slot

    Malicious Python Package Index steals Amazon Web Services credentials

    See More
  • Red and black electronic chip

    Research uncovers new attack method, security leaders share insights

    See More
  • Green digital symbols

    Researchers discovered a new phishing kit on the dark web

    See More

Related Products

See More Products
  • 9780815378068.jpg.jpg

    Biometrics, Crime and Security

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!