Python
-
ForceMemo offshoot of GlassWorm force pushes malware into hundreds of Python repositories
A supply chain campaign called ForceMemo stole GitHub tokens and force-pushed obfuscated code into hundreds of Python repositories starting March 8, 2026. Compromised packages and pip installs may deliver remote payloads.
-
Microsoft warns Python-based infostealers are targeting macOS via malvertising and fake installers
Microsoft warned in a technical analysis that Python-based infostealers have expanded to macOS since late 2025. Campaigns use malvertising, fake DMG installers, and fileless techniques to steal credentials and iCloud Keychain data.
-
New Python stealer called VVS Stealer harvests Discord tokens and browser data
VVS Stealer is a Python based information stealer that harvests Discord tokens and browser data. A Unit 42 technical analysis found it is Pyarmor obfuscated and offered for sale on Telegram from April 2025.
-
Water Saci campaign in Brazil uses WhatsApp worm, HTA and Python to deliver banking trojan; RelayNFC Android malware also active
Researchers say the Water Saci group has adopted a layered HTA/PDF/WhatsApp Web worm and a Python-based propagation script to deliver an AutoIt-backed banking trojan in Brazil, while a separate RelayNFC Android threat targets contactless payments.
-
Legacy Python bootstrap scripts create potential PyPI domain takeover risk, researchers say
ReversingLabs found legacy zc.buildout bootstrap scripts in several PyPI packages that download an obsolete Distribute installer from a domain now for sale, creating a potential domain takeover supply chain risk; researchers warned some projects still ship the file and pointed to a separate malicious PyPI package discovered by HelixGuard.
-
Malicious Blender .blend files used to deliver StealC V2, researchers say
Researchers at Morphisec say a campaign has used malicious Blender .blend files uploaded to free 3D asset sites to execute embedded Python scripts and deliver the StealC V2 information stealer and a secondary Python stealer; the attack runs when Blender’s Auto Run option is enabled.
-
Malicious PyPI package ‘soopsocks’ acted as SOCKS5 proxy and Windows backdoor, researchers say
Researchers say a PyPI package called soopsocks posed as a SOCKS5 proxy but included Windows backdoor capabilities, downloaded 2,653 times before removal; analysis attributes reconnaissance, privilege elevation, firewall changes and data exfiltration to a compiled executable and accompanying scripts.
-
New Campaign Uncovers 67 Trojanized GitHub Repositories Targeting Python Users
Cybersecurity experts have revealed a new campaign identifying 67 trojanized GitHub repositories that falsely advertise Python hacking tools, delivering malicious software instead. This campaign highlights the significant risks of using open-source repositories for developers.
-
New Python Backdoor Discovered, Linked to Pro-Ukraine Hackers
ReversingLabs has revealed a new malicious Python package, dbgpkg, designed to create backdoors on developers’ systems, suspected to be linked to a pro-Ukraine hacktivist group targeting Russian interests.
