The Supply Chain Security team at Positive Technologies Expert Security Center (PT ESC) recently intercepted and mitigated a malicious campaign targeting users of the Python Package Index (PyPI).
Malicious Campaign Targets Python Developers
Two malicious packages, named deepseeek and deepseekai, were found to be harvesting sensitive information from developers and machine learning (ML) practitioners who unwittingly downloaded and executed them.
PyPI, a widely used repository for Python packages, is critical to developers relying on tools such as pip, pipenv, or poetry for dependency management. 
The malicious campaign leveraged this trust to infiltrate systems through fraudulent packages masquerading as tools for AI and machine learning enthusiasts.
Attack Chain
The attack, launched on January 29, 2025, originated from a PyPI account under the username “bvk,” created in June 2023 with no prior activity.
.webp)
The packages were designed to exfiltrate sensitive user data, including environment variables, by executing scripts when users ran commands associated with the packages.
These stolen variables could include API keys, database credentials, and permissions needed to access critical infrastructure resources.
The attacker used the Pipedream integration platform as the command-and-control (C2) server to collect stolen data.
Analysis revealed that the code within these packages was partially developed using an AI assistant, as evidenced by AI-style comments embedded in the script.
The packages were promptly flagged and quarantined by Positive Technologies researchers shortly after publication.
Despite this quick intervention, the packages were downloaded 222 times globally using a variety of methods, including browsers, Python-specific tools, and mirroring platforms.
The United States, China, and Russia were among the top download destinations.
The deepseeek package was published at 15:52 UTC, followed by deepseekai at 16:13 UTC.
Within minutes of detection, PT ESC reported the malicious files to PyPI administrators, who quarantined them by 16:21 UTC. The packages were completely removed by 16:42 UTC.
This incident underscores the persistent threat posed by supply chain attacks in open-source ecosystems.
Although the attack was relatively contained, its potential damage could have been far-reaching, exploiting the widespread interest in AI-based solutions such as DeepSeek.
Developers are urged to exercise caution when downloading newly published packages, especially those claiming to provide cutting-edge functionality.
Always verify the legitimacy of package authors and consider using security tools to detect potentially harmful components in your dependencies.
For a safer development environment, organizations should prioritize monitoring their software supply chains and invest in solutions capable of identifying suspicious activities in real time.