Malicious PyPI package discovered in ongoing ‘PaperPin’ campaign

Malicious PyPI package discovered in ongoing ‘PaperPin’ campaign Ryan is a senior editor at TechForge Media with over a decade of experience covering the latest technology and interviewing leading industry figures. He can often be sighted at tech conferences with a strong coffee in one hand and a laptop in the other. If it's geeky, he’s probably into it. Find him on Twitter (@Gadget_Ry) or Mastodon (

In a recent analysis conducted by Sonatype, a malicious Python Package Index (PyPI) package named ‘VMConnect’ was discovered masquerading as the legitimate VMware vSphere connector module ‘vConnector’.

The counterfeit package was found to contain sinister code designed to compromise users’ systems. Further investigation revealed an ongoing campaign involving additional packages like “ethter” and “quantiumbase,” all sharing the same structure and payload.

The ‘VMConnect’ package, assigned sonatype-2023-3387, was detected by Sonatype’s automated systems on July 28th.

As of writing, the package has been downloaded 237 times. The package closely resembled the genuine ‘vConnector’ module, attempting to deceive users with a similar description and file structure.

Upon analysing the package, Sonatype’s Senior Security Researcher, Ankita Lamba, found that the ‘VMConnect’ package’s ‘’ file contained encoded code within the ‘’ file. When decoded, this string revealed a script that connected to an attacker-controlled URL and executed payloads on the host machine every minute.

Sonatype’s researchers discovered two other suspicious packages, “ethter” (253 downloads) and “quantiumbase” (216 downloads), which exhibited identical patterns to ‘VMConnect,’ suggesting a coordinated campaign. Both packages contained a base64-encoded string connecting to the same attacker-controlled URL.

The researchers have subsequently dubbed this campaign “PaperPin”.

Sonatype’s researchers encountered a roadblock during their analysis, as the second-stage payload from the attacker-controlled URL had been removed, preventing further investigation. Nonetheless, the intent behind the package was evident—it was designed to act as a beacon, reach out to a Command & Control server, and download and execute malicious payloads.

“Even though the second stage payload was unavailable for analysis at the time of research, the malicious intent behind this package is evidently clear,” said Lamba.

“The decoded base64 string appears to be a beacon reaching out to a Command & Control server. An unsuspecting user’s machine would beacon out to the external IP address, downloading and executing malicious payloads every minute.”

Sonatype promptly reported the malicious PyPI packages to the registry administrators and the packages were taken down. The researchers also attempted to contact the user “hushki502,” the username associated with the counterfeit package on both GitHub and PyPI, but received no response.

In light of this discovery, VMware vSphere users are urged to exercise caution when obtaining Python Connector modules and should refer only to the project’s official documentation and repository for secure instructions.

The incident highlights the constant threat posed by malicious actors in the software supply chain. It also underscores the importance of vigilant monitoring by organisations and security researchers to detect and neutralise such threats promptly.

(Photo by Jess Bailey on Unsplash)

See also: Checkmarx uncovers supply chain attacks targeting banking

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The event is co-located with Digital Transformation Week.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: , , , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *