Infostealer Malware Targeting DeepSeek AI Tools on PyPI. Here is a quick look at what to know.

  • Home » Infostealer Malware Targeting DeepSeek AI Tools on PyPI. Here is a quick look at what to know.
DeepSeek
Featured News Latest News Recommended News Security Technology , , , , , ,

Infostealer Malware Targeting DeepSeek AI Tools on PyPI. Here is a quick look at what to know.

Threat actors have recently taken advantage of the rising popularity of DeepSeek AI tools. They uploaded two malicious infostealer packages on the Python Package Index (PyPI). These packages, named “deepseeek” and “deepseekai,” impersonated developer tools for the AI platform.

shutterstock_152253701 Infostealer Malware Targeting DeepSeek AI Tools on PyPI. Here is a quick look at what to know.

Discovery and Reporting

Positive Technologies researchers discovered the campaign and reported it to PyPI. The packages posed as Python clients for DeepSeek AI and stole data from developers who used them. Once executed on a developer’s machine, the malicious payload stole user and system data, as well as environment variables such as API keys, database credentials, and infrastructure access tokens.

Exfiltration and Impact

The stolen information was then exfiltrated to a command and control (C2) server using Pipedream, a legitimate automation platform. Threat actors could use this stolen information to access cloud services, databases, and other protected resources utilized by the developer.

Quick Response and Quarantine

The malicious packages were uploaded to PyPI on January 29, 2025, with only twenty minutes between them. Positive Technologies quickly discovered and reported them to PyPI, which quarantined and blocked downloads of the packages, followed by their complete deletion from the platform. Despite the quick detection and response, 222 developers downloaded the two packages, most from the United States (117), followed by China (36), Russia, Germany, Hong Kong, and Canada.

Security Recommendations for Developers

Developers who used these packages should immediately rotate their API keys, authentication tokens, and passwords, as they may now be compromised. Any cloud services whose credentials were stolen should also be checked to confirm they were not compromised as well.

Importance of Vigilance

Bill Toulas, a tech writer and infosec news reporter with over a decade of experience, covered this incident. He highlighted the importance of vigilance when downloading packages from repositories like PyPI.

Conclusion

In conclusion, this incident serves as a reminder of the ongoing threats in the software supply chain. Developers must remain cautious and proactive in securing their systems and data against such malicious activities.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it

Share this content:

Tag

Related Posts

Post Comment