Cybersecurity researchers have discovered two malicious packages in the Python Package Index (PyPI) repository that masquerade as spellcheckers but contain functionality to deliver a remote access trojan (RAT).
The packages, named spellcheckerpy and spellcheckpy, are no longer available for download, but not before they were collectively downloaded a little over 1,000 times.
“Hidden inside the Basque language dictionary file was a base64-encoded payload that downloads a full-featured Python RAT,” Aikido researcher Charlie Eriksen said. “The attacker published three ‘dormant’ versions first, payload present, trigger absent, then flipped the switch with spellcheckpy v1.2.0, adding an obfuscated execution trigger that fires the moment you import SpellChecker.”
Unlike other packages that conceal the malicious functionality within “__init__.py” scripts, the threat actor behind the campaign has been found to add the payload inside a file named “resources/eu.json.gz” that contains Basque word frequencies from the legitimate pyspellchecker package.
While the function looks straightforward and harmless, the malicious behavior is triggered when the archive file is extracted using the test_file() function with the parameters: test_file(“eu”, “utf-8”, “spellchecker”), causing it to retrieve a Base64-encoded downloader hidden in the dictionary under a key called “spellchecker.”
Interestingly, the first three versions of the package only fetched and decoded the payload, but never executed it. However, that changed with the release of spellcheckpy version 1.2.0, published on January 21, 2026, when it gained the ability to run the payload as well.
The first stage is a downloader that’s designed to retrieve a Python-based RAT from an external domain (“updatenet[.]work”). It’s capable of fingerprinting the compromised host, parsing incoming commands, and executing them. The domain, registered in late October 2025, is associated with 172.86.73[.]139, an IP address managed by RouterHosting LLC (aka Cloudzy), a hosting provider that has a history of offering its services to nation-state groups.
This is not the first time fake Python spell-checking tools have been detected in PyPI. In November 2025, HelixGuard said it discovered a malicious package named “spellcheckers” that featured the ability to retrieve and execute a RAT payload. It’s suspected that these two sets of attacks are the work of the same threat actor.
The development coincides with the discovery of several malicious npm packages to facilitate data theft and target cryptocurrency wallets –
- flockiali (1.2.3-1.2.6), opresc (1.0.0), prndn (1.0.0), oprnm (1.0.0), and operni, which contain a single JavaScript file that, when loaded, serves a fake Microsoft-branded login screen as part of a targeted spear-phishing campaign hitting employees at specific industrial and energy companies located in France, Germany, Spain, the U.A.E, and the…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
