Malicious packages deepseeek and deepseekai published in Python Package Index

Introduction

As part of our threat research and monitoring efforts, the Supply Chain Security team of the Threat Intelligence department of the Positive Technologies Expert Security Center (PT ESC) detected and prevented a malicious campaign in the Python Package Index (PyPI) package repository. The attack targeted developers, ML engineers, and ordinary AI enthusiasts who might be interested in integrating DeepSeek into their systems.

PyPI is used as a default package repository in popular package managers: pip, pipenv, and poetry.

Attack chain

On January 29, 2025, a malicious user bvk (an account that was created in June 2023 with no other activity) uploaded two packages: deepseeek and deepseekai.

Functions used in these packages are designed to collect user and computer data and steal environment variables. The payload is executed when the user runs the commands deepseeek or deepseekai (depending on the package) in the command-line interface. Environment variables often contain sensitive data required for applications to run, for example, API keys for the S3 storage service, database credentials, and permissions to access other infrastructure resources.

Figure 2. deepseekai console command registered in the package of the same name

Figure 3. Malicious payload used in the packages

The author of the two packages used Pipedream, an integration platform for developers, as the command-and-control server that receives stolen data.

It's worth mentioning that the script was written with the help of an AI assistant, which is indicated by the characteristic comments explaining the lines of code.

We have promptly notified the PyPI administrators about the packages, which are now deleted. Despite the immediate response, the package was downloaded 36 times using the pip package manager and the bandersnatch mirroring tool and 186 times using the browser, the requests library, and other tools.

Figure 4. deepseekai project, now quarantined

Attack timeline (UTC+0):

January 29, 2025, 15:52:58	The deepseeek 0.0.8 package is first published
January 29, 2025, 16:13:10	The deepseekai 0.0.8 package is first published
January 29, 2025, 16:21:32	Based on our report, both packages are quarantined and unavailable for download using package managers
January 29, 2025, 16:41:14	The PyPI administrators delete the deepseeek package and notify us accordingly
January 29, 2025, 16:42:01	The PyPI administrators delete the deepseeek package and notify us accordingly

List of downloads (according to PyPI):

Country	Download method	Count
The U.S.	Browser	33
	requests	19
	pip	8
	bandersnatch	2
	Other	55
China	bandersnatch	8
	pip	6
	Browser	4
	Other	18
Russia	Browser	3
	requests	1
	Other	8
Hong Kong	pip	4
	Browser	4
	bandersnatch	2
	requests	1
Germany	bandersnatch	4
	requests	4
	Browser	2
Canada	Browser	3
Canada	requests	2
Switzerland	requests	3
Switzerland	Browser	2
Croatia	Browser	4
Sweden	requests	4
Poland	Browser	2
The UK	Browser	2
Ireland	Other	2
Norway	Browser	2
Singapore	bandersnatch	2
France	requests	2
Ukraine	Browser	1
Saudi Arabia	Browser	1

Conclusion

Cybercriminals always monitor the current trends and will try to take advantage of them at the right moment. In this case, we analyzed a relatively harmless attack, although due to the hype around DeepSeek, there could be a lot more victims if the malicious package activity stayed hidden for longer.

The packages were identified by the service for detecting suspicious and malicious Python packages PT PyAnalysis. The service monitors packages published by PyPI users for signs of malicious activity in real time.

We recommend being careful with newly released packages that pose as wrappers for popular services.

IoC	Type
deepseeek	PyPI package
deepseekai	PyPI package
eoyyiyqubj7mquj.m.pipedream.net	C2

Malicious packages deepseeek and deepseekai published in Python Package Index

Malicious packages deepseeek and deepseekai published in Python Package Index

Introduction

Attack chain

Conclusion

IOCs

Share link