Cybersecurity researchers have flagged malicious packages in Python Package Index (PYPI) repository, claiming it provides the ability to create Socks5 Proxy services, and also offers features like stealth backdoors that drop additional payloads on Windows systems.
The deceptive package named Soopsocks attracted a total of 2,653 downloads before being removed. It was first uploaded on September 26, 2025 by a user named “Soodalpie.” This is the same date that the account was created.
“While providing this functionality, it demonstrates its behavior as a backdoor proxy server targeted at the Windows platform using an automated installation process via VBScript or executable version,” Jfrog said in his analysis.
An executable (“_autorun.exe”) is a compiled GO file designed to run PowerShell scripts, set firewall rules, and restart with increased capacity, in addition to including an implementation of Socks5 according to the ad. It also performs basic system and network reconnaissance, including Internet Explorer security settings and Windows installation dates, and excludes information into hardcoded Discord Webhooks.
“_autorun.vbs”, the visual basic script started by the Python package in versions 0.2.5 and 0.2.6 can also run PowerShell scripts.[.]Space: 6969″) and then generate and run a batch script configured to install the package using the “PIP Install” command.
The PowerShell script calls the batch script and runs the Python package. This will run with administrative privileges (if not already), configure Firewall rules, configure UDP and TCP communication over port 1080, install as a service, maintain communication with Discord Webhooks, and automatically start the host.
“Soopsocks is a well-designed Socks5 proxy with full bootstrap window support,” says Jfrog. “But when you think about how you run and how you run it, it shows signs of malicious activity such as firewall rules, rising permissions, various PowerShell commands, and GO executable parameters with hardcoded parameters from simple, configurable Python scripts, versions with versions with versions.
This disclosure arises because NPM package maintainers raised concerns related to the lack of native 2FA workflows for CI/CD, self-hosted workflow support for reliable publication, and token management after sweep change introduced by GitHub in response to an increase in software supply chain attacks.
Earlier this week, Github said that if it would soon cancel all legacy tokens from NPM Publishing, all granular access tokens in NPM have a default expiration date of seven days (down from 30 days) and a maximum expiration date of 90 days.
“Long-life tokens are the main vectors of supply chain attacks. When tokens are compromised, shorter life expectancy limits the window of exposure and reduces potential damage.” “The changes will bring NPM in line with security best practices already adopted across the industry.”
It also brings software supply chain security companies to release a free tool called Socket Firewall that blocks malicious packages during installation across the NPM, Python, and Rust ecosystem, providing developers with the ability to protect their environment from potential threats.
“Socket firewalls are not limited to protecting you from problematic top-level dependencies, and they also prevent package managers from obtaining transitive dependencies that are known to be malicious,” the company added.
Source link
