Cybersecurity researchers have flagged a malicious package on the Python Package Index (PyPI) repository that claims to offer the ability to create a SOCKS5 proxy service, while also providing a stealthy backdoor-like functionality to drop additional payloads on Windows systems.
The deceptive package, named soopsocks, attracted a total of 2,653 downloads before it was taken down. It was first uploaded by a user named “soodalpie” on September 26, 2025, the same date the account was created.
“While providing this capability, it exhibits behavior as a backdoor proxy server targeting Windows platforms, using automated installation processes via VBScript or an executable version,” JFrog said in an analysis.
The executable (“_AUTORUN.EXE”) is a compiled Go file that, besides including a SOCKS5 implementation as advertised, is also designed to run PowerShell scripts, set firewall rules, and relaunch itself with elevated permissions. It also carries out basic system and network reconnaissance, including Internet Explorer security settings and Windows installation date, and exfiltrates the information to a hard-coded Discord webhook.
“_AUTORUN.VBS,” the Visual Basic Script launched by the Python package in versions 0.2.5 and 0.2.6, is also capable of running a PowerShell script, which then downloads a ZIP file containing the legitimate Python binary from an external domain (“install.soop[.]space:6969”) and generates a batch script that’s configured to install the package using the “pip install” command and run it.
The PowerShell script then invokes the batch script, causing the Python package to be executed, which, in turn, elevates itself to run with administrative privileges (if not already), configure firewall rules to allow UDP and TCP communication via port 1080, install as a service, maintain communication with a Discord webhook, and set up persistence on the host using a scheduled task to make sure it automatically starts upon a system reboot.
“soopsocks is a well-designed SOCKS5 proxy with full bootstrap Windows support,” JFrog said. “However, given the way it performs and actions it takes during runtime, it shows signs of malicious activity, such as firewall rules, elevated permissions, various PowerShell commands, and the transfer from simple, configurable Python scripts to a Go executable with hardcoded parameters, version with reconnaissance capabilities to a predetermined Discord webhook.”
The disclosure comes as npm package maintainers have raised concerns related to a lack of native 2FA workflows for CI/CD, self-hosted workflow support for trusted publishing, and token management following sweeping changes introduced by GitHub in response to a growing wave of software supply chain attacks, Socket said.
Earlier this week, GitHub said it will shortly revoke all legacy tokens for npm publishers and that all granular access tokens for npm will have a default expiration of seven days…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
