PyPI: Package with 1.1 Million Downloads Hacked to Distribute Infostealer

A PyPI package with 1.1 million monthly downloads was compromised to distribute an infostealer. Analysis of the software supply chain attack.

PyPI: Package with 1.1 Million Downloads Hacked to Distribute Infostealer
PyPI: Package with 1.1 Million Downloads Hacked to Distribute Infostealer

A serious security incident has affected the Python ecosystem: a package hosted on PyPI (Python Package Index), which records a volume of 1.1 million monthly downloads, was hacked to distribute an infostealer. The event, confirmed by a report dated April 27, 2026, represents a serious breach of software supply chain security, exposing a high number of developers and users to the risk of sensitive data theft.

The Scope of the Attack

The most alarming figure concerns the scale of the compromise. With 1.1 million downloads per month, the affected package is a component widely used by the community. The compromise of such a popular dependency provides attackers with an extremely efficient infection vector: by exploiting the inherent trust developers place in public repositories like PyPI, malicious code can automatically reach thousands of development environments and production systems without the user noticing immediately.

The Role of the Infostealer

The code inserted into the package specifically aimed to distribute an infostealer. This type of malware is designed to infiltrate victims' systems to steal confidential information, such as login credentials, bank data, or authentication keys. In the context of software development, the risk is amplified by the possibility of the malware compromising the entire build and deploy infrastructure, allowing attackers to exfiltrate sensitive data or move laterally within corporate networks. The silent nature of infostealers often delays the discovery of the infection, maximizing potential damage.

Implications for Supply Chain Security

The incident highlights the inherent vulnerabilities of the open-source supply chain. PyPI, being the official repository for Python code, is a critical target for attackers seeking to compromise software supply chains. By hacking an existing package with an established user base, malicious actors avoid the need to create projects from scratch, instead leveraging the reputation and reach already acquired by the legitimate component. This event underscores the crucial importance of implementing automated security controls, such as continuous dependency scanning and update monitoring, to mitigate risks arising from the use of third-party libraries.

This article is a summary based exclusively on the sources listed.

Sources

  • Security Report: PyPI package with 1.1 million monthly downloads compromised (April 27, 2026)