Malicious Python Package Exploits Cloud DevOps Pipelines Using Multi-Stage Attack Strategy
June 16th, 2025
Severity Level: Medium
Technical Details
Component Affected: Python (PyPI) and JavaScript (npm) package ecosystems.
Primary Malicious Package: chimera-sandbox-extensions.
Severity: Medium.
Vulnerability Type: Multi-stage info-stealers, remote code execution, cryptojackers, clippers.
In the case of chimera-sandbox-extensions, the malware employs a domain generation algorithm (DGA) to obtain an authentication token, which it subsequently uses to download a second-stage Python-based information stealer. The malware can harvest a wide range of data, including JAMF receipts, AWS tokens, CI/CD variables, and user metadata.
For npm packages like solders and eslint-config-airbnb-compat, post-install scripts or obfuscated code retrieve PowerShell scripts and batch files that install Pulsar RAT, a variant of Quasar RAT. Payloads are concealed in image files or encoded strings and evade detection by modifying Windows Defender configurations and bypassing UAC with tools like FodHelper.exe.
Our Cyber Threat Intelligence Unit has identified a targeted malware campaign that leverages malicious open-source packages from the Python Package Index (PyPI) and npm registries to steal sensitive data from developers and enterprises. These packages were created to impersonate legitimate development tools and amassed hundreds of downloads before being taken down.
A notable example is the chimera-sandbox-extensions package on PyPI, which mimics a helper module for Grab’s Chimera Sandbox but has an embedded credential-stealing payload disguised within. Similarly, malicious npm packages such as eslint-config-airbnb-compat, solvers, and @mediawave/lib feature sophisticated multi-stage infection chains involving obfuscation, remote code execution, and system persistence mechanisms. These packages specifically target developer machines, CI/CD pipelines, cloud infrastructure, and cryptocurrency wallets, posing a significant threat to the security and operational integrity of enterprise supply chains.
Impact
Successful exploitation of these malicious packages can lead to:
Compromise of CI/CD pipelines and developer environments.
Unauthorized exfiltration of AWS tokens, JAMF configurations, and Zscaler settings.
Exposure of sensitive source code and enterprise environment variables.
Execution of backdoors, such as Pulsar RAT, which allow remote access and persistence.
Cryptocurrency theft through clipboard hijacking or wallet key capture.
Evasion of endpoint detection using scripting, Unicode obfuscation, and multistage payloads.
Risk to open-source-dependent products and downstream consumers.
The sophistication and targeted nature of these attacks emphasize the growing capability of threat actors to exploit enterprise software supply chains on a large scale.
Detection Method
To determine exposure or signs of compromise:
Audit Installed Packages:
Review systems and containers for the presence of the following packages:
Chimera-sandbox-extensions (PyPI).
eslint-config-airbnb-compat, solders, ts-runtime-compat-check, @mediawave/lib (npm).
Monitor Network Activity:
Look for outbound requests to DGA-based domains or IPs, such as cdn.audiowave[.]org, firewall[.]tel, and i.ibb[.]co.
Detect unusual PowerShell commands or batch file downloads from sources outside the corporate network.
Check for Obfuscated Code Patterns:
Unicode-based variable names.
Post-install scripts in package.json.
JavaScript or Python snippets invoking external download logic or executing commands.
Behavioral Indicators:
Creation of new scheduled tasks.
UAC bypass attempts via FodHelper.exe.
Addition of antivirus exclusion paths post-installation.
Threat Intelligence Integration:
Cross-reference known malicious domains and hashes using VirusTotal, YARA rules, or EDR solutions.
Indicators of Compromise
There are no Indicators of Compromise (IOCs) for this advisory.
Recommendations
Remove Malicious Packages Immediately: Uninstall any identified packages and reimage affected systems if necessary.
Rotate Compromised Credentials: Especially those associated with AWS, JAMF, Git, or CI/CD tokens.
Isolate Developer Systems: Particularly those used for testing or that utilize unverified packages.
Restrict Internet Access: Prevent build agents and developer systems from accessing unknown domains.
Implement Dependency Controls: Utilize tools such as pip-audit, npm audit, and software composition analysis (SCA) to prevent the installation of unverified packages.
Use Lockfiles and Hash Pinning: Enforce strict version control and avoid implicit upgrades.
Enhance Developer Training: Train engineering teams on reviewing post-install behavior and avoid LLM-suggested hallucinated package names.
Audit AI-Driven Workflows: Establish guardrails for AI tools that assist with code or package suggestions (e.g., OpenAI, Claude, Cursor).
Report to Maintainers: Notify the PyPI and npm security teams when malicious packages are discovered.
Conclusion
The discovery of these malicious open-source Python packages highlights a significant shift in attacker tactics; moving away from traditional endpoints and targeting software development processes and developer ecosystems. By combining supply chain manipulation, obfuscation, and AI-related slop squatting (which refers to AI’s tendency to hallucinate software package names), adversaries are expanding the attack surface across both corporate and open-source landscapes.
To mitigate these threats, organizations must adopt a zero-trust approach to package management, enforce strict validation processes, and regularly audit tools and behavior in their development pipelines. Maintaining a Software Bill of Materials (SBOM) is a proactive software cataloging methodology that tracks and monitors software package sprawl, identifying malicious packages. As reliance on public registries and AI-assisted development continues to grow, continuous vigilance and proactive defense are essential in safeguarding the integrity of the software supply chain and preventing compromise.