Cybersecurity

Cyber: Fake Python Spellchecker Packages On Pypi Delivered Hidden Remote...

2026-01-28 0 views admin
Cyber: Fake Python Spellchecker Packages On Pypi Delivered Hidden Remote...

Cybersecurity researchers have discovered two malicious packages in the Python Package Index (PyPI) repository that masquerade as spellcheckers but contain functionality to deliver a remote access trojan (RAT).

The packages, named spellcheckerpy and spellcheckpy, are no longer available for download, but not before they were collectively downloaded a little over 1,000 times.

"Hidden inside the Basque language dictionary file was a base64-encoded payload that downloads a full-featured Python RAT," Aikido researcher Charlie Eriksen said. "The attacker published three 'dormant' versions first, payload present, trigger absent, then flipped the switch with spellcheckpy v1.2.0, adding an obfuscated execution trigger that fires the moment you import SpellChecker."

Unlike other packages that conceal the malicious functionality within "__init__.py" scripts, the threat actor behind the campaign has been found to add the payload inside a file named "resources/eu.json.gz" that contains Basque word frequencies from the legitimate pyspellchecker package.

While the function looks straightforward and harmless, the malicious behavior is triggered when the archive file is extracted using the test_file() function with the parameters: test_file("eu", "utf-8", "spellchecker"), causing it to retrieve a Base64-encoded downloader hidden in the dictionary under a key called "spellchecker."

Interestingly, the first three versions of the package only fetched and decoded the payload, but never executed it. However, that changed with the release of spellcheckpy version 1.2.0, published on January 21, 2026, when it gained the ability to run the payload as well.

The first stage is a downloader that's designed to retrieve a Python-based RAT from an external domain ("updatenet[.]work"). It's capable of fingerprinting the compromised host, parsing incoming commands, and executing them. The domain, registered in late October 2025, is associated with 172.86.73[.]139, an IP address managed by RouterHosting LLC (aka Cloudzy), a hosting provider that has a history of offering its services to nation-state groups.

This is not the first time fake Python spell-checking tools have been detected in PyPI. In November 2025, HelixGuard said it discovered a malicious package named "spellcheckers" that featured the ability to retrieve and execute a RAT payload. It's suspected that these two sets of attacks are the work of the same threat actor.

The development coincides with the discovery of sever

Source: The Hacker News

🏷️ Tags

cybersecuritysecurityattackthreat

More from Cybersecurity

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

2026-02-24 0
Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

2026-02-24 0
Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

2026-02-24 0
Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

2026-02-24 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views