New Research: Multi-Stage Malware Attack on Python Package Index Discovered

Researchers at JFrog have discovered that the Python Package Index (PyPI) has a malicious package in its repository. This package is able to harvest developer-related data, such as credentials, configuration information, and environment variables. 

The package (called chimera-sandbox-extensions) has more than 140 downloads and likely targets users of the Chimera Sandbox service. It is presented as a useful helper module for the service, but upon installment, it connects to an external domain and downloads/executes a next-stage payload. 

Below, security leaders discuss the researchers’ findings. 

Security Leaders Weigh In

Mike McGuire, Senior Security Solutions Manager at Black Duck:

This incident underscores the growing sophistication of supply chain attacks, where seemingly trustworthy packages can deliver dangerous malware. Unfortunately, attacks like these are likely to increase in frequency, so teams need to take a layered approach to defending themselves.

Development teams should move towards using curated package registries, like internal repositories, that provide control over which packages are allowed to be used in projects. Security teams can implement policy into these internal repositories to automate governance based on different risk metrics. 

Software composition analysis tools should be implemented to integrate directly into the CI/CD pipelines, scan projects, and detect the open source dependencies being used. This way, a dynamic list of packages can be maintained and continuously evaluated for vulnerabilities and malicious indicators. 

When deciding which open source packages to use, development and security teams should always be watching for red flags indicating potentially malicious components. The most significant red flags should be associated with project reputation. For example, packages with low download counts, no listed maintainers, suspicious README content, or empty documentation should be subjected to additional scrutiny. 

Teams should use lock files to pin dependencies to specific versions and avoid surprise updates. They can go even further by using hash-based verification to ensure that they’re installing the files that they’re expecting. 

Finally, those responsible for security should be reviewing dependencies regularly, and monitoring alerts from feeds like those associated with PyPI, npm, GitHub, and others. Given the scale of open source usage in modern application development, this most likely requires the use of automated tooling.

Fletcher Davis, Senior Security Research Manager at BeyondTrust: 

Within the last five years, attackers have leveraged PyPI and other package managers to exploit developer trust through typosquatting and supply chain attacks. Many recent attacks have compromised packages with millions of weekly downloads, demonstrating the sheer scale of impact. The chimera-sandbox-extensions incident underscores that traditional security approaches are insufficient against modern supply chain threats. Supply chain security requires a proactive, multi-layered approach combining technical controls, process improvements, and continuous monitoring rather than relying solely on reactive measures. 

Security teams must implement rigorous dependency management by locking packages to trusted versions and conducting automated vulnerability scanning. Organizations should verify package integrity, conduct thorough code reviews for new dependencies, and audit development workflows while implementing strict secret management and least-privilege access controls to limit exposure if packages are compromised. Real-time behavioral monitoring is essential to detect unusual API access patterns and authentication anomalies that indicate compromise from sophisticated supply chain attacks targeting corporate cloud infrastructure.

Eric Schwake, Director of Cybersecurity Strategy at Salt Security:

The detection of harmful packages, such as chimera-sandbox extensions, on PyPI highlights the significant and widespread risk posed by software supply chain attacks. The primary threat lies in its ability to collect sensitive developer-related data, including credentials, configuration files, and especially AWS tokens and CI/CD environment variables. This poses a direct risk to corporate and cloud infrastructures, enabling attackers to maliciously access and possibly alter or steal large volumes of data through compromised API credentials.

Security teams must adopt a multi-layered defensive strategy to avert such security breaches. This involves thoroughly checking all third-party and open-source packages before integration, understanding their functions, and applying the principle of least privilege to all development and deployment credentials. Effective API posture governance is crucial to ensure that the potential API access is limited, even if credentials like AWS tokens are compromised. Furthermore, ongoing runtime protection of application and API traffic for unusual behaviors, such as suspicious outbound connections or unauthorized data transfers, is vital to identify and address these advanced supply chain breaches before they result in larger system compromises.

Jason Soroko, Senior Fellow at Sectigo:

Security teams need to put policies and procedures into place to stop the attack at the package boundary. 

Ban direct pip and uv installs from public indexes. There are other repositories out there, so check on the ones you are using.  Mirror approved dependencies in an internal repository and enforce hash pinning in lockfiles. That’s a way to have assurance that you are using legitimate dependencies.  Scan all incoming packages with static and dynamic analysis to detect DGA calls and credential harvesting code observed in chimera sandbox extensions. Automate removal of outdated or unused dependencies.

Contain and limit damage if a malicious dependency lands. Run development workloads in non privileged sandboxes with egress restricted to vetted URLs. Strip secrets from build logs and inject short lived AWS and CI credentials only at runtime. Monitor DNS for algorithmically generated hostnames and block them. Rotate all exposed tokens immediately and audit for lateral movement.