Malicious PyPI package infected Windows, Linux and Darwin systems with a backdoor


Another malicious package was found in PyPI, which is used in attacks on the supply chain with the ultimate goal of installing a Cobalt Strike beacon or backdoor on systems running Windows, Linux and Darwin.

PyPI is an open source package repository that developers can use to download their own libraries or download someone else’s for further use in their projects.

On May 17, 2022, attackers uploaded a malicious pymafka package to PyPI. The package name resembles PyKafka– a popular Apache Kafka client with more than four million downloads from PyPI.

Fortunately, the malicious “clone” was downloaded only 325 times, after which it was deleted. However, the developers who downloaded it are under threat, since the malware provides attackers with initial access to their internal networks.

The malicious package was discovered by the specialists of the Sonatype information security company, who reported it to PyPI. On May 20, pymafka was removed.

According to security researcher Ax Sharma from BleepingComputer, the infection begins with the execution of the script contained in the package The script determines the host operating system and, depending on its type (Windows, Linux or Darwin), extracts a compatible payload, which is then executed on the system.

On Linux-based systems, the Python script connects to a remote URL ( and passes the output data to the bash shell. Currently, this host is disabled, so it is not known which commands were executed. Most likely, these were commands to open the reverse shell.

For Windows and Darwin, the payload was a Cobalt Strike beacon that provided remote access to an infected device.

Cobalt Strike is a set of tools for testing systems for penetration, allowing you to execute commands, record keystrokes on the keyboard, manipulate files, use a proxy through SOCKS, increase privileges, steal credentials, scan ports, etc.

Cobalt Strike beacons are file–free shellcode agents that are difficult to detect. They provide remote and stable access to compromised systems for espionage, lateral movement or deployment of the payload of the second stage (for example, ransomware).

Start a discussion …