Socket’s Threat Research Team has identified a malicious Python package masquerading as a security solution under the name “psslib.”
Published by a threat actor using the alias “umaraq,” this package was designed to appear as a legitimate alternative to the widely-used “passlib” library, which garners over 8.9 million downloads monthly for its trusted password hashing functions.
However, psslib employs typosquatting registering a similar-sounding but misleading package name to deceive Python developers seeking robust authentication tools.
Upon inspection, Socket’s AI Scanner quickly flagged psslib as malicious due to its immediate and damaging impact: when an incorrect password is entered through its interface, it triggers a forced and immediate shutdown of Windows systems.
Unlike sophisticated malware that acts covertly, psslib is brazenly destructive, leveraging the trust that developers place in libraries claiming to offer enhanced security.
The package README falsely claims to “secure your Python program,” further lulling users into unwarranted confidence.
Exploitative Behavior Targets Windows Environments
The package’s core functionality is built around a password verification routine using the easygui module.
However, instead of merely alerting on failed authentication attempts, the code issues a Windows shutdown command (shutdown /s /t 1), effectively terminating all system activity within a second.
Additional functions embedded in the package, such as src() and error(), can also invoke instant shutdowns or display an error message before disabling the machine.
This increases the potential attack vectors, allowing destruction not just through failed authentication but via direct function calls or error handling any of which can be triggered with or without user interaction.
The attack is specifically engineered for Windows platforms, as the malicious shutdown command does not execute on Linux or macOS due to their incompatible system commands.
This focus suggests the perpetrator’s intent to disrupt Windows-based development environments, where administrative privileges are common and critical systems or CI/CD pipelines may be affected.
Supply Chain Attack
What makes this supply chain attack particularly alarming is its exploitation of the implicit trust developers have in security libraries.
The stakes are high: authentication packages are often integrated deeply into enterprise applications, user-facing systems, and automated production workflows.
As a result, a single malicious package can have cascading effects, not only corrupting developer workstations but also impacting end users, deployments, and business processes dependent on secure authentication.
Socket’s researchers warn that this incident is symptomatic of broader trends in software supply chain threats.
While psslib opts for overt destruction immediate shutdown with the potential for unsaved data loss and service disruption future variants may embed more insidious behaviors, such as gradual data corruption or targeted attacks on other operating systems.
Given the evolving sophistication of such attacks, robust real-time behavioral analysis is critical.
Socket offers tools like a free GitHub application, CLI alerts during package installation, and browser extensions to monitor and flag suspect packages before they infiltrate organizational codebases.
As of this writing, the psslib package remains live on the Python Package Index (PyPI), and Socket has formally petitioned for its removal.
Developers are urged to verify package authenticity, especially when dealing with security-related tooling, and to employ automated solutions for proactive supply chain threat detection.
Indicators of Compromise (IOC)
| IOC Type | Value |
|---|---|
| Malicious Package | psslib |
| Threat Actor Alias | umaraq |
| PyPI Emails | umar[.]maq@yandex[.]com |
| umarmoiz2010@gmail[.]com |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
