Malicious actors have exploited the rising popularity of DeepSeek AI to distribute two malicious infostealer packages through the Python Package Index (PyPI), impersonating legitimate developer tools for the AI platform.
Researchers at Positive Technologies discovered and reported the campaign, which targeted developers, machine learning engineers, and AI enthusiasts integrating DeepSeek AI into their systems.
A Prime Target
The malicious campaign was detected and mitigated by the Supply Chain Security team at the Threat Intelligence department of the Positive Technologies Expert Security Center (PT ESC). PyPI serves as the default package repository for popular package managers such as pip, pipenv, and poetry, making it a prime target for supply chain attacks.
On 29 January 2025, an account named bvk—created in June 2023 with no prior activity—uploaded two fraudulent packages: deepseeek and deepseekai. Both were designed to exfiltrate sensitive user and system data, including API keys, database credentials, and infrastructure access tokens.
How it Worked
Once executed, the malicious payloads in the packages collected and transmitted user and system data. The payload activated when users ran the respective package commands in the command-line interface. The malefactors specifically targeted environment variables, which often store critical application credentials and access tokens.
The stolen data was sent to a command-and-control (C2) server hosted on Pipedream, a developer integration platform. According to the researchers, the script contained comments that bore telltale signs of AI-generated assistance, meaning an AI assistant was likely used to develop the malware.
Impact and Response
Despite the swift response by security researchers, the malicious packages were downloaded multiple times before removal. According to Positive Technologies:
- The packages were downloaded 36 times using the pip package manager and the Bandersnatch mirroring tool.
- One hundred eighty-six downloads occurred via browser requests, the requests library, and other tools.
PyPI administrators were notified promptly, and the compromised packages were deleted. However, the incident is one more example of the growing threat of supply chain attacks within the open-source ecosystem.
Supply Chain Risk
Jason Soroko, a senior fellow at Sectigo, says the researchers’ report unpacks a threat in which bad actors injected info stealer malware into the PyPI repository by disguising it as DeepSeek.
“The findings confirm that attackers exploit trusted naming conventions and the open-source ecosystem’s reliance on authentic package sources. Although the report was published from a Russian domain, which may limit accessibility, the technical evidence underscores a growing risk in software supply chains.”
Soroko said businesses must enforce strict package verification and monitor repository activity to mitigate potential breaches.
Trust Nothing
Mike McGuire, Senior Security Solutions Manager at Black Duck, says: “In the early days of open source software, we were taught to treat the packages we used with inherent trust. We’re now in the era of having to treat every package that we download or use with a reasonable level of scrutiny.”
McGuire says although this attack involved the name DeepSeek, it’s important to note that this had nothing to do with the company, or with AI at all. Instead, it has everything to do with criminals seizing an opportunity in the popularity of AI tools in the development community.
Missing Red Flags
“In their eagerness to leverage DeepSeek in their tasks, many developers missed the “red flag” that they were downloading packages from an account with a limited, poor reputation and had their environment variables and secrets compromised as a result. This emphasizes the importance of leveraging all of the metrics made available for open source packages before including them into projects,” McGuire adds.
While it seems obvious by now that dependencies with security vulnerabilities should be excluded, McGuire says component provenance, health, and operational factors should also serve as inclusion criteria; those with little to no history concerning changes from one version to the next, questionable owners, poor community support, and suchlike, should be flagged for further review and scrutiny.
This may sound like a time-consuming task, but there is no shortage of tools on the market that do this automatically and build directly into the software development lifecycle, McGuire ends.
Mitigation Strategies for Developers
Incidents such as this one emphasize the need for better security practices when using third-party packages from repositories like PyPI. Developers can protect themselves by:
- Verifying package authenticity: Check a package’s author, version history, and reviews before installing anything.
- Auditing dependencies: Use tools like pip-audit to pinpoint and remove potentially malicious packages.
- Monitoring environment variables: Store sensitive credentials in secure vaults instead of plaintext environment variables.
- Implementing supply chain security tools: Solutions like dependency scanning and runtime monitoring can help detect anomalies in installed packages.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.