Deceptive Package Targets Python Developers
A malicious Python package infiltrated the PyPI repository, putting thousands of developers at risk before security researchers flagged and removed it. The package, named “parsimonius,” was designed to impersonate the legitimate “parsimonious” library, a widely used tool for building expression grammar parsers. The single missing letter was a deliberate typosquatting attack, crafted to trick developers into installing the wrong package without noticing.
Attackers assigned the malicious package a version number that appeared newer than the legitimate release, making it more likely to be selected by automated dependency resolution tools or by developers who did not carefully verify the package name. Security analysts at Zscaler ThreatLabz identified the threat and reported that the package had already been downloaded 2,474 times before it was removed from PyPI.
Silent Backdoor and Data Theft
The deception went deeper than a simple name mismatch. The malicious package actually included the real parsimonious parsing functionality, so developers using it would see completely normal behavior on the surface. Beneath that legitimate facade, however, a Telegram based backdoor was silently deployed across every affected system.
Once activated, attackers gained remote access to compromised environments. Their focus was on harvesting sensitive data from .env files and bot authentication tokens, both of which commonly contain credentials, API keys, and secrets that can lead to further system compromise. The rapid download count highlights how quickly such supply chain attacks can spread through developer ecosystems.
Source: Cyber Security News
