Introduction
As part of our threat research and monitoring efforts, the Supply Chain Security team of the Threat Intelligence department of the Positive Technologies Expert Security Center (PT ESC) detected and prevented a malicious campaign in the Python Package Index (PyPI) package repository. The attack targeted developers, ML engineers, and ordinary AI enthusiasts who might be interested in integrating DeepSeek into their systems.
PyPI is used as a default package repository in popular package managers: pip, pipenv, and poetry.
Attack chain
On January 29, 2025, a malicious user bvk (an account that was created in June 2023 with no other activity) uploaded two packages: deepseeek and deepseekai.
Functions used in these packages are designed to collect user and computer data and steal environment variables. The payload is executed when the user runs the commands deepseeek or deepseekai (depending on the package) in the command-line interface. Environment variables often contain sensitive data required for applications to run, for example, API keys for the S3 storage service, database credentials, and permissions to access other infrastructure resources.
The author of the two packages used Pipedream, an integration platform for developers, as the command-and-control server that receives stolen data.
It's worth mentioning that the script was written with the help of an AI assistant, which is indicated by the characteristic comments explaining the lines of code.
We have promptly notified the PyPI administrators about the packages, which are now deleted. Despite the immediate response, the package was downloaded 36 times using the pip package manager and the bandersnatch mirroring tool and 186 times using the browser, the requests library, and other tools.
Attack timeline (UTC+0):
| January 29, 2025, 15:52:58 | The deepseeek 0.0.8 package is first published |
| January 29, 2025, 16:13:10 | The deepseekai 0.0.8 package is first published |
| January 29, 2025, 16:21:32 | Based on our report, both packages are quarantined and unavailable for download using package managers |
| January 29, 2025, 16:41:14 | The PyPI administrators delete the deepseeek package and notify us accordingly |
| January 29, 2025, 16:42:01 | The PyPI administrators delete the deepseeek package and notify us accordingly |
List of downloads (according to PyPI):
| Country | Download method | Count |
|---|---|---|
| The U.S. | Browser | 33 |
| requests | 19 | |
| pip | 8 | |
| bandersnatch | 2 | |
| Other | 55 | |
| China | bandersnatch | 8 |
| pip | 6 | |
| Browser | 4 | |
| Other | 18 | |
| Russia | Browser | 3 |
| requests | 1 | |
| Other | 8 | |
| Hong Kong | pip | 4 |
| Browser | 4 | |
| bandersnatch | 2 | |
| requests | 1 | |
| Germany | bandersnatch | 4 |
| requests | 4 | |
| Browser | 2 | |
| Canada | Browser | 3 |
| requests | 2 | |
| Switzerland | requests | 3 |
| Browser | 2 | |
| Croatia | Browser | 4 |
| Sweden | requests | 4 |
| Poland | Browser | 2 |
| The UK | Browser | 2 |
| Ireland | Other | 2 |
| Norway | Browser | 2 |
| Singapore | bandersnatch | 2 |
| France | requests | 2 |
| Ukraine | Browser | 1 |
| Saudi Arabia | Browser | 1 |
Conclusion
Cybercriminals always monitor the current trends and will try to take advantage of them at the right moment. In this case, we analyzed a relatively harmless attack, although due to the hype around DeepSeek, there could be a lot more victims if the malicious package activity stayed hidden for longer.
The packages were identified by the service for detecting suspicious and malicious Python packages PT PyAnalysis. The service monitors packages published by PyPI users for signs of malicious activity in real time.
We recommend being careful with newly released packages that pose as wrappers for popular services.
IOCs
| IoC | Type |
|---|---|
| deepseeek | PyPI package |
| deepseekai | PyPI package |
| eoyyiyqubj7mquj.m.pipedream.net | C2 |
Get in touch
will contact you shortly