Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) repository that’s capable of harvesting sensitive developer-related information, such as credentials, configuration data, and environment variables, among others.
The package, named chimera-sandbox-extensions, attracted 143 downloads and likely targets users of a service called Chimera Sandbox, which was released by Singaporean tech company Grab last August to facilitate “experimentation and development of [machine learning] solutions.”
The package masquerades as a helper module for Chimera Sandbox, but “aims to steal credentials and other sensitive information such as Jamf configuration, CI/CD environment variables, AWS tokens, and more,” JFrog security researcher Guy Korolevski said in a report published last week.
Once installed, it attempts to connect to an external domain whose domain name is generated using a domain generation algorithm (DGA) in order to download and execute a next-stage payload.
Specifically, the malware acquires from the domain an authentication token, which is then used to send a request to the same domain and retrieve the Python-based information stealer.
The stealer malware is equipped to siphon a wide range of data from infected machines. This includes –
- JAMF receipts, which are records of software packages installed by Jamf Pro on managed computers
- Pod sandbox environment authentication tokens and git information
- CI/CD information from environment variables
- Zscaler host configuration
- Amazon Web Services account information and tokens
- Public IP address
- General platform, user, and host information
The kind of data gathered by the malware shows that it’s mainly geared towards corporate and cloud infrastructure. In addition, the extraction of JAMF receipts indicates that it’s also capable of targeting Apple macOS systems.
The collected information is sent via a POST request back to the same domain, after which the server assesses if the machine is a worthy target for further exploitation. However, JFrog said it was unable to obtain the payload at the time of analysis.
“The targeted approach employed by this malware, along with the complexity of its multi-stage targeted payload, distinguishes it from the more generic open-source malware threats we have encountered thus far, highlighting the advancements that malicious packages have made recently,” Jonathan Sar Shalom, director of threat research at JFrog Security Research team, said.
“This new sophistication of malware underscores why development teams remain vigilant with updates—alongside proactive security research – to defend against emerging threats and maintain software integrity.”
The disclosure comes as SafeDep and Veracode detailed a number of malware-laced npm packages that are designed to execute remote code and download additional payloads. The packages in question are listed below –
- eslint-config-airbnb-compat (676 Downloads)
- ts-runtime-compat-check (1,588 Downloads)
- solders (983 Downloads)
- @mediawave/lib (386 Downloads)
All the identified npm packages have since been taken down from npm, but not before they were downloaded hundreds of times from the package registry.
SafeDep’s analysis of eslint-config-airbnb-compat found that the JavaScript library has ts-runtime-compat-check listed as a dependency, which, in turn, contacts an external server defined in the former package (“proxy.eslint-proxy[.]site”) to retrieve and execute a Base64-encoded string. The exact nature of the payload is unknown.
“It implements a multi-stage remote code execution attack using a transitive dependency to hide the malicious code,” SafeDep researcher Kunal Singh said.
Solders, on the other hand, has been found to incorporate a post-install script in its package.json, causing the malicious code to be automatically executed as soon as the package is installed.
“At first glance, it’s hard to believe that this is actually valid JavaScript,” the Veracode Threat Research team said. “It looks like a seemingly random collection of Japanese symbols. It turns out that this particular obfuscation scheme uses the Unicode characters as variable names and a sophisticated chain of dynamic code generation to work.”
Decoding the script reveals an extra layer of obfuscation, unpacking which reveals its main function: Check if the compromised machine is Windows, and if so, run a PowerShell command to retrieve a next-stage payload from a remote server (“firewall[.]tel”).
This second-stage PowerShell script, also obscured, is designed to fetch a Windows batch script from another domain (“cdn.audiowave[.]org”) and configures a Windows Defender Antivirus exclusion list to avoid detection. The batch script then paves the way for the execution of a .NET DLL that reaches out to a PNG image hosted on ImgBB (“i.ibb[.]co”).
“[The DLL] is grabbing the last two pixels from this image and then looping through some data contained elsewhere in it,” Veracode said. “It ultimately builds up in memory YET ANOTHER .NET DLL.”
Furthermore, the DLL is equipped to create task scheduler entries and features the ability to bypass user account control (UAC) using a combination of FodHelper.exe and programmatic identifiers (ProgIDs) to evade defenses and avoid triggering any security alerts to the user.
The newly-downloaded DLL is Pulsar RAT, a “free, open-source Remote Administration Tool for Windows” and a variant of the Quasar RAT.
“From a wall of Japanese characters to a RAT hidden within the pixels of a PNG file, the attacker went to extraordinary lengths to conceal their payload, nesting it a dozen layers deep to evade detection,” Veracode said. “While the attacker’s ultimate objective for deploying the Pulsar RAT remains unclear, the sheer complexity of this delivery mechanism is a powerful indicator of malicious intent.”
Crypto Malware in the Open-Source Supply Chain
The findings also coincide with a report from Socket that identified credential stealers, cryptocurrency drainers, cryptojackers, and clippers as the main types of threats targeting the cryptocurrency and blockchain development ecosystem.
Some of the examples of these packages include –
- express-dompurify and pumptoolforvolumeandcomment, which are capable of harvesting browser credentials and cryptocurrency wallet keys
- bs58js, which drains a victim’s wallet and uses multi-hop transfers to obscure theft and frustrate forensic tracing.
- lsjglsjdv, asyncaiosignal, and raydium-sdk-liquidity-init, which functions as a clipper to monitor the system clipboard for cryptocurrency wallet strings and replace them with threat actor‑controlled addresses to reroute transactions to the attackers
“As Web3 development converges with mainstream software engineering, the attack surface for blockchain-focused projects is expanding in both scale and complexity,” Socket security researcher Kirill Boychenko said.
“Financially motivated threat actors and state-sponsored groups are rapidly evolving their tactics to exploit systemic weaknesses in the software supply chain. These campaigns are iterative, persistent, and increasingly tailored to high-value targets.”
AI and Slopsquatting
The rise of artificial intelligence (AI)-assisted coding, also called vibe coding, has unleashed another novel threat in the form of slopsquatting, where large language models (LLMs) can hallucinate non-existent but plausible package names that bad actors can weaponize to conduct supply chain attacks.
Trend Micro, in a report last week, said it observed an unnamed advanced agent “confidently” cooking up a phantom Python package named starlette-reverse-proxy, only for the build process to crash with the error “module not found.” However, should an adversary upload a package with the same name on the repository, it can have serious security consequences.
Furthermore, the cybersecurity company noted that advanced coding agents and workflows such as Claude Code CLI, OpenAI Codex CLI, and Cursor AI with Model Context Protocol (MCP)-backed validation can help reduce, but not completely eliminate, the risk of slopsquatting.
“When agents hallucinate dependencies or install unverified packages, they create an opportunity for slopsquatting attacks, in which malicious actors pre-register those same hallucinated names on public registries,” security researcher Sean Park said.
“While reasoning-enhanced agents can reduce the rate of phantom suggestions by approximately half, they do not eliminate them entirely. Even the vibe-coding workflow augmented with live MCP validations achieves the lowest rates of slip-through, but still misses edge cases.”
