The Apple in the Snake’s Eye: A PyPI Trap for Developers

In the ever-expanding ecosystem of open-source tools, a single poisoned fruit can corrupt the entire basket. This time, it came in the form of a PyPI package named chimera-sandbox-extensions, posing as a helper module for Chimera Sandbox—an ML experimentation platform released by Grab. Instead of aiding developers, it was engineered to steal from them. Once installed, the package initiated a stealthy sequence: generate a domain using a DGA (domain generation algorithm), acquire an authentication token, retrieve a Python-based stealer, and exfiltrate sensitive data—including AWS tokens, Jamf receipts, CI/CD variables, and host identifiers.

It was a classic act of slopsquatting: publish a fake package under a name that sounds like a legitimate dependency, and wait for developers to take the bait.

Developers Become Prey

The attack homed in on a precise victim profile: software developers working in enterprise environments, especially those managing cloud infrastructure or macOS fleets. Many likely sought to explore Chimera Sandbox for machine learning experiments. The malicious package, cleverly named and hosted on a trusted registry, looked like a legitimate component of that toolkit.

By installing the impostor, developers unknowingly compromised their development environments. Credentials, environment secrets, and critical system data were silently harvested. Those affected may have integrated the tool into sensitive workflows without ever realizing the backdoor they had opened.

Anatomy of a Breach

The infection began the moment the fake PyPI package was installed. It triggered a connection to a domain generated through DGA, a technique often used to evade detection and blocklisting. This domain returned a token, which was used to fetch the actual stealer payload.

Once deployed, the malware harvested:

• Jamf receipts, revealing macOS fleet management activity

• CI/CD pipeline secrets, pulled from environment variables

• AWS credentials and tokens

• Zscaler configurations and host metadata

• Git and pod sandbox information

• Public IP address and system-level identifiers

The data was exfiltrated through HTTP POST to the same remote server. Interestingly, the server then assessed the infected system to determine whether it was a “worthy target” for a possible second-stage payload—a follow-up component that, as of JFrog’s report, remains unidentified.

This staged approach and stealthy delivery stand apart from generic open-source malware, showing just how sophisticated modern supply chain attacks have become.

Code, Verify, Defend

The lesson here is not to abandon open-source—but to approach it with caution sharpened by experience. As attacks grow more tailored and obfuscated, especially those leveraging hallucinated package names from AI coding agents, developer security hygiene must evolve. A few key defenses include:

• Use private package mirrors with integrity verification

• Monitor developer machines for suspicious POST exfiltration events

• Block outbound requests to DGA-resolving domains

• Train teams on slopsquatting and the risk of AI-assisted package hallucinations

• Audit all third-party dependencies, especially before introducing them to production code

Open-source remains one of our greatest collaborative assets, but also one of the most exploited attack vectors. In this ecosystem, even trusted code can bite.

https://thehackernews.com/2025/06/malicious-pypi-package-masquerades-as.html?m=1