Wednesday, May 7, 2025
HomeCyber CrimeBeware Of Malicious Python Packages That Steal Users Sensitive Data

Beware Of Malicious Python Packages That Steal Users Sensitive Data

Published on

SIEM as a Service

Follow Us on Google News

Malicious Python packages uploaded by “dsfsdfds” to PyPI infiltrated user systems by exfiltrating sensitive data to a Telegram bot likely linked to Iraqi cybercriminals. 

Active since 2022 and containing more than 90,000 Arabic messages, it has functioned as both a command-and-control center and an underground marketplace for social media manipulation tools. 

It highlights a broader cybercriminal network, emphasizing the need for in-depth investigation and collaboration within cybersecurity communities.

- Advertisement - Google News

A malicious script scans the victim’s file system, particularly the root directory and DCIM folder, targeting files with extensions like .py, .php, .zip, .png, .jpg, and .jpeg.  

Once found, the script transmits both file paths and the actual data (files and photos) to the attacker’s Telegram bot without the user’s awareness. This is achieved through a hardcoded Telegram bot token and chat ID within the script, revealing the attacker’s infrastructure details.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Python Packages Data Exfiltration

Analysis of the exfiltrated data revealed hardcoded credentials for a Telegram bot used by the attackers.

Exploiting these credentials, researchers gained direct access to the bot and observed a significant activity history stretching back to at least 2022. 

The messages, primarily in Arabic, provided clues about the bot operator’s location and operations. By analyzing message language and content with tools like GitHub’s TeleTracker, researchers identified the operator as likely being based in Iraq. 

The bot’s activity suggested it was part of a network of bots controlled by the same actor.

Initially, the bot functioned as an underground marketplace, offering various illicit services, which included purchasing social media engagement metrics like views and followers, spam services, and discounted subscriptions to streaming platforms like Netflix.

An investigation into a malicious Python package revealed a hidden Telegram bot, while further analysis of the bot’s message history uncovered evidence of a broader cybercriminal operation.  

The messages hinted at financial theft and appeared to originate from compromised systems, suggesting the packages were a successful initial attack vector and highlighting the need for a deep investigation into cybersecurity. 

In reality, the malicious packages that appeared to be isolated did in fact serve as the entry point to a more complex criminal network that was based on Telegram. 

Researchers at Checkmarx uncovered malicious Python packages on PyPI that exfiltrated user data to a Telegram bot. This exposed a larger Iraqi cybercriminal network and highlighted the dangers of a compromised developer machine. 

In an enterprise setting, such a breach could provide attackers with an initial foothold to launch further attacks within the organization’s network. 

Avoid these four Python packages: testbrojct2, proxyfullscraper, proxyalhttp, and proxyfullscrapers, as they are identified as malicious by exploiting the PyPI repository to install them on unsuspecting systems. 

Once installed, they scrape the files, including potentially sensitive ones like Python scripts, images, and compressed archives, and the stolen data is then sent to a Telegram bot controlled by cybercriminals, which exposes the system to a variety of threats, depending on the criminals’ goals, which could include financial fraud or further system compromise.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Raga Varshini
Raga Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...