- Buy a Sony Bravia 8 II, and get another 4K TV for free - but you'll need to act fast
- I choose this budget wireless iPhone charger over Apple's MagSafe model - here's why
- AI導入を急ぐあまり見過ごされる8つのセキュリティリスク
- Grab this 230-piece Craftsman toolset for just $99 at Lowe's
- The best Apple deals of May 2025: iPhones, Apple Watches, iPads, and more
New Malware on PyPI Poses Threat to Open-Source Developers
A newly uncovered malicious package on the Python Package Index (PyPI) has raised fresh concerns about the security of open source software repositories.
The package, named “dbgpkg,” was discovered by researchers at ReversingLabs, posing as a debugging utility but in fact serving as a delivery mechanism for a stealthy backdoor.
The malicious activity is part of a broader campaign that may be tied to pro-Ukrainian hacktivists operating under the alias Phoenix Hyena. This group is known for targeting Russian interests in cyberspace following the 2022 invasion of Ukraine.
Function Wrapping and Hidden Payloads
Unlike legitimate Python debugging tools, dbgpkg lacks any functional debugging features. Instead, upon installation, it implants a backdoor using Python function wrappers – decorators that subtly modify code behavior.
The technique leverages sys.modules to hook into commonly used networking libraries like requests and socket. This allows the malware to remain undetected until those modules are used during runtime.
Once triggered, the malicious code checks for an existing installation. If none is found, it executes a series of commands to:
- Download a public key from a Pastebin site
- Install the Global Socket Toolkit – a tool that bypasses firewalls
- Exfiltrate an encrypted connection secret to a private Pastebin
This method makes detection difficult, as it disguises malicious actions beneath trusted module calls.
According to ReversingLabs, similar tactics were seen in the discordpydebug and requestsdev packages, which also impersonated legitimate developer tools and shared the same payloads. Notably, requestsdev appeared to impersonate Python core contributor Cory Benfield.
Potential Ties to Hacktivist Group
While attribution remains tentative, ReversingLabs noted that the backdoor’s design resembles malware used by Phoenix Hyena.
This group, also known as DumpForums, has been active since 2022 and is known for leaking stolen Russian data on Telegram and web forums. They were previously linked to the DR Web breach in 2024.
Researchers caution that similar techniques could be replicated by copycat threat actors. However, the repeated use of identical payloads and the timing of earlier uploads strengthen the case for a connection.
Long-Term Risks for Developers
The use of advanced techniques like function wrapping and stealthy network toolkits suggests that the attackers behind dbgpkg are highly skilled and focused on persistence.
Although dbgpkg was discovered quickly, the earlier discordpydebug package managed to remain hidden for over three years, amassing more than 11,000 downloads.
As open source repositories continue to be high-value targets, developers are urged to remain vigilant and scrutinize even seemingly helpful utilities before installing them.
Malicious dbgpkg package on PyPI poses as a debugging utility but acts as a delivery mechanism for a stealthy backdoor
