Software Supply Chain Under Attack: New Malware Infiltrates PyPI & npm with Advanced Tactics

Amid a surge in increasingly sophisticated software supply chain attacks, cybersecurity experts have identified a new wave of malicious software infiltrating official repositories, including the Python Package Index (PyPI) and npm. These are not isolated incidents but part of a broader, coordinated campaign targeting developers and corporate infrastructure reliant on cloud services and continuous integration systems.

One notable case involved a malicious package named chimera-sandbox-extensions, uploaded to PyPI. Posing as a support module for Chimera Sandbox—a platform for experimental machine learning development—it was, in reality, designed to exfiltrate sensitive data from development environments.

The malware harvested the following information:

– JAMF receipts (packages installed via Jamf Pro);
– Authentication tokens from Pod Sandbox environments and data from Git repositories;
– Environment variables from CI/CD pipelines;
– Zscaler and AWS configuration data;
– Public IP address, as well as system, user, and host details.

The stolen data was exfiltrated via POST requests to a remote domain generated through a Domain Generation Algorithm (DGA), which also determined whether the targeted machine warranted further exploitation. Although the final payload could not be retrieved, the infection architecture revealed a high level of sophistication and an intent to target enterprise Mac systems, CI/CD environments, and cloud platforms.

Similar attacks have also surfaced in the JavaScript ecosystem. Analysts from SafeDep and Veracode reported a series of malicious npm packages, crafted for stealthy payload delivery:

– eslint-config-airbnb-compat (676 downloads)
– ts-runtime-compat-check (1,588 downloads)
– solders (983 downloads)
– @mediawave/lib (386 downloads)

The ts-runtime-compat-check package, a dependency of eslint-config-airbnb-compat, communicated with the domain proxy.eslint-proxy[.]site to retrieve and execute a malicious payload. In the case of solders, the attack was triggered post-installation via a post-install script. The payload was obfuscated using Japanese characters as variable names and employed an advanced code-generation chain to thwart analysis.

Once installed, the malware initiated a multi-stage attack: on Windows systems, it executed a PowerShell script that downloaded a .bat file from a remote server, altered Windows Defender settings, and launched a .NET DLL. This library extracted another DLL embedded within the hidden pixels of a PNG image hosted on ImgBB. The resulting executable was a Pulsar RAT—a variant of Quasar RAT—capable of bypassing UAC, creating scheduled tasks, and granting covert remote control over the host system.

Further analysis revealed a disturbing trend: attackers are increasingly targeting Web3 developers through malicious open-source packages. Among the notable threats:

– express-dompurify and pumptoolforvolumeandcomment — steal browser credentials and cryptocurrency wallet keys;
– bs58js — drains wallets and uses transaction chaining to obscure traces;
– lsjglsjdv, asyncaiosignal, raydium-sdk-liquidity-init — monitor clipboard activity and replace wallet addresses with attacker-controlled ones.

The growing convergence of Web3 and traditional software development renders these ecosystems especially vulnerable, particularly as attackers rapidly adapt and evolve their tactics.

An unexpected threat has also emerged from AI-powered programming tools themselves. Companies like Trend Micro and Socket have exposed a novel attack vector based on the phenomenon of slopsquatting—wherein AI “hallucinates” plausible but nonexistent package names, which attackers preemptively register in official repositories. In one such case, an AI agent suggested starlette-reverse-proxy, a package that didn’t exist. Had an attacker claimed that namespace in advance, the installation would have proceeded automatically—with potentially catastrophic consequences.

While more advanced AI tools—such as Claude Code CLI, OpenAI Codex CLI, and Cursor AI validated through the Model Context Protocol—can mitigate some of these risks, the potential for error remains.

Collectively, these incidents underscore the escalating threat within open-source ecosystems. Malicious supply chains are increasingly disguised as legitimate dependencies, often incorporating dozens of layers and sophisticated concealment techniques—from Unicode obfuscation to embedding remote access trojans within image pixels. Alarmingly, it is not only cybercriminals but also, seemingly, nation-state actors who are leveraging these tactics to compromise high-value infrastructure targets.