Threat actors have all kinds of motivations for targeting open-source software (OSS) repositories like the Python Package Index (PyPI). Financial gain is one of them. As ReversingLabs (RL) 2025 Software Supply Chain Security Report noted, there were close to two dozen software supply chain campaigns in 2024 alone that targeted developers working on cryptocurrency applications. But financial gain is just one motivation. Geopolitical tensions and political activism are another, as can be seen in a new malicious campaign that RL researchers detected on the PyPI this week, which may be linked to a threat actor that works in support of Ukraine since the Russian invasion of that country in 2022. On Tuesday, the RL threat research team detected a newly uploaded malicious package that poses as a Python debugging utility. When installed, the package implants a backdoor on the developer’s system, enabling malicious actors to execute malicious code and exfiltrate sensitive data. By comparing the malicious packages and attack techniques of previous malicious campaigns, RL researchers conclude that this new package may be attributable to a hacktivist gang known for its campaigns against Russian interests in support of Ukraine. Here’s what RL researchers discovered, and what this ongoing campaign means for the current state of OSS security
First seen on securityboulevard.com
Jump to article: securityboulevard.com/2025/05/backdoor-implant-discovered-on-pypi-posing-as-debugging-utility/
