Cybersecurity researchers have discovered two malicious packages in the Python Package Index (PyPI) repository that contain the ability to deliver a remote access trojan (RAT) while masquerading as a spell checker.
The packages named Spellcheckerpy and Spellcheckpy are currently not available for download, but they were previously downloaded over 1,000 times together.
“Hidden within the Basque dictionary file was a base64-encoded payload that downloaded a full-featured Python RAT,” said Aikido researcher Charlie Eriksen. “The attackers first published three ‘dormant’ versions with the payload present and no triggers, then flipped the switch with spellcheckpy v1.2.0 and added an obfuscated execution trigger that fires the moment SpellChecker is imported.”
Unlike other packages that hide malicious functionality within the “__init__.py” script, the attackers behind the campaign were found to add a payload within a file named “resources/eu.json.gz” that contains Basque frequencies from the legitimate pyspellchecker package.
Although this function appears simple and harmless, when the archive file is extracted using the test_file() function with the parameter test_file(“eu”, “utf-8”, “spellchecker”), it triggers malicious behavior and retrieves a Base64-encoded downloader hidden under the key “spellchecker” in the dictionary.
Interestingly, the first three versions of the package only fetched and decoded the payload, but did not execute it. However, that changed with the release of Spellcheckpy version 1.2.0, published on January 21, 2026, which now allows payloads to be executed as well.
The first stage is a downloader designed to retrieve a Python-based RAT from an external domain (‘updatenet’).[.]work”). It can fingerprint compromised hosts, parse and execute commands received. This domain was registered in late October 2025 and is associated with 172.86.73.[.]139 is an IP address managed by RouterHosting LLC (also known as Cloudzy), a hosting provider with a history of serving a group of nations.
This is not the first time a fake Python spell checker has been detected on PyPI. In November 2025, HelixGuard announced the discovery of a malicious package named “spellcheckers” that has the ability to retrieve and execute RAT payloads. These two attacks are suspected to be the work of the same attacker.
This development coincides with the discovery of several malicious npm packages that facilitate data theft and target cryptocurrency wallets.
flockiali (1.2.3-1.2.6), opresc (1.0.0), prndn (1.0.0), oprnm (1.0.0), and operni contain single JavaScript files that, when loaded, are used by Microsoft as part of a targeted spear-phishing campaign that attacks employees at certain industrial and energy companies in France, Germany, Spain, the United Arab Emirates, and the United States. A branded fake login screen will appear. ansi-universal-ui (1.3.5, 1.3.6, 1.3.7, 1.4.0, 1.4.1). It masquerades as a UI component library but deploys a Python-based stealer called G_Wagon that steals web browser credentials, cryptocurrency wallets, cloud credentials, and Discord tokens into an Appwrite storage bucket.
This disclosure comes at the same time that Aikido highlighted the threat associated with slopsquatting, where an artificial intelligence (AI)-powered agent hallucinates a non-existent package, which can then be used by threat actors to push malicious code to downstream users.
In one case highlighted by the supply chain security firm, a fictitious npm package named “react-codeshift” was configured with a large language model in mid-October 2025 and has since been referenced by 237 GitHub repositories, some of which even told AI agents to install it.
“How did it spread across 237 repositories? Agent skill files. Copied and pasted, forked, translated into Japanese, and never verified,” Eriksen said. “Skills are new code. They don’t look alike. Markdown and YAML, plain instructions. But they’re executable. The AI agent follows them without asking, ‘Does this package actually exist?'”
Source link
