Cybersecurity researchers have uncovered two malicious Python packages on the Python Package Index (PyPI) that posed as legitimate spellchecking tools while secretly delivering a remote access trojan (RAT). The packages, spellcheckerpy and spellcheckpy, have since been removed, but not before they were downloaded more than 1,000 times combined.
According to Aikido researcher Charlie Eriksen, the malware was concealed in an unusual location. A Base64 encoded payload was hidden inside a compressed Basque language dictionary file, rather than in typical Python initialization scripts. The attacker initially published three inactive versions that contained the payload without executing it, likely to build trust and evade detection. The malicious activity was activated later with spellcheckpy version 1.2.0, released on January 21, 2026, which introduced an obfuscated trigger that executed the payload upon importing the SpellChecker module.
The malicious behavior is initiated when a function named test_file() extracts the dictionary archive using specific parameters. This action retrieves a hidden downloader embedded under a dictionary key labeled “spellchecker.” Earlier versions only decoded the payload, but the final version executed it, marking the transition from dormant to active malware.
The first stage payload functions as a downloader that fetches a Python based RAT from an external domain, updatenet[.]work. Once deployed, the RAT fingerprints the infected system, receives remote commands, and executes them. The domain was registered in October 2025 and resolves to an IP address hosted by RouterHosting LLC, also known as Cloudzy, a provider previously linked to infrastructure used by nation state threat actors.
This campaign is not an isolated incident. In November 2025, HelixGuard reported a similar PyPI package named spellcheckers that also delivered a RAT, suggesting a possible connection to the same threat actor or group.
At the same time, researchers have identified several malicious npm packages involved in credential theft and cryptocurrency targeting. Some packages delivered fake Microsoft login pages for spear phishing campaigns against industrial and energy sector employees across Europe, the Middle East, and the United States. Others, such as ansi-universal-ui, masqueraded as UI libraries while deploying a Python stealer capable of exfiltrating browser data, crypto wallets, cloud credentials, and Discord tokens to attacker controlled storage.
The findings also highlight a growing supply chain risk known as slopsquatting. This technique exploits AI generated hallucinations of non existent packages. In one case, a fictitious npm package called react-codeshift appeared in 237 GitHub repositories after being invented by an AI model. Some projects even instructed automated agents to install it, without verification.
As Eriksen noted, agent instruction files and skill definitions written in Markdown or YAML are increasingly treated as executable logic by AI systems. When these references are copied and reused without validation, they create new and largely invisible attack paths.
Security teams and developers are advised to carefully audit dependencies, verify package legitimacy, and avoid blindly trusting AI generated installation instructions. The incident underscores how software supply chains remain a prime target, especially as attackers adapt to new automation and AI driven development workflows.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
