Malicious packages deepseeek and deepseekai published in Python Package Index
Malicious packages deepseeek and deepseekai published in Python Package Index
Introduction
As part of our threat research and monitoring efforts, the Supply Chain Security team of the Threat Intelligence department of the Positive Technologies Expert Security Center (PT ESC) detected and prevented a malicious campaign in the Python Package Index (PyPI) package repository. The attack targeted developers, ML engineers, and ordinary AI enthusiasts who might be interested in integrating DeepSeek into their systems.
PyPI is used as a default package repository in popular package managers: pip, pipenv, and poetry.
Attack chain
On January 29, 2025, a malicious user bvk (an account that was created in June 2023 with no other activity) uploaded two packages: deepseeek and deepseekai.
Figure 1. bvk account page (Vamsi)
Functions used in these packages are designed to collect user and computer data and steal environment variables. The payload is executed when the user runs the commands deepseeek or deepseekai (depending on the package) in the command-line interface. Environment variables often contain sensitive data required for applications to run, for example, API keys for the S3 storage service, database credentials, and permissions to access other infrastructure resources.
Figure 2. deepseekai console command registered in the package of the same name Figure 3. Malicious payload used in the packages
The author of the two packages used Pipedream, an integration platform for developers, as the command-and-control server that receives stolen data.
It's worth mentioning that the script was written with the help of an AI assistant, which is indicated by the characteristic comments explaining the lines of code.
We have promptly notified the PyPI administrators about the packages, which are now deleted. Despite the immediate response, the package was downloaded 36 times using the pip package manager and the bandersnatch mirroring tool and 186 times using the browser, the requests library, and other tools.
Figure 4. deepseekai project, now quarantined
Attack timeline (UTC+0):
January 29, 2025, 15:52:58
The deepseeek 0.0.8 package is first published
January 29, 2025, 16:13:10
The deepseekai 0.0.8 package is first published
January 29, 2025, 16:21:32
Based on our report, both packages are quarantined and unavailable for download using package managers
January 29, 2025, 16:41:14
The PyPI administrators delete the deepseeek package and notify us accordingly
January 29, 2025, 16:42:01
The PyPI administrators delete the deepseeek package and notify us accordingly
List of downloads (according to PyPI):
Country
Download method
Count
The U.S.
Browser
33
requests
19
pip
8
bandersnatch
2
Other
55
China
bandersnatch
8
pip
6
Browser
4
Other
18
Russia
Browser
3
requests
1
Other
8
Hong Kong
pip
4
Browser
4
bandersnatch
2
requests
1
Germany
bandersnatch
4
requests
4
Browser
2
Canada
Browser
3
requests
2
Switzerland
requests
3
Browser
2
Croatia
Browser
4
Sweden
requests
4
Poland
Browser
2
The UK
Browser
2
Ireland
Other
2
Norway
Browser
2
Singapore
bandersnatch
2
France
requests
2
Ukraine
Browser
1
Saudi Arabia
Browser
1
Conclusion
Cybercriminals always monitor the current trends and will try to take advantage of them at the right moment. In this case, we analyzed a relatively harmless attack, although due to the hype around DeepSeek, there could be a lot more victims if the malicious package activity stayed hidden for longer.
The packages were identified by the service for detecting suspicious and malicious Python packages PT PyAnalysis. The service monitors packages published by PyPI users for signs of malicious activity in real time.
We recommend being careful with newly released packages that pose as wrappers for popular services.
