Select Page

In yet another campaign targeting the Python Package Index (PyPI) repository, six malicious packages have been found deploying information stealers on developer systems.

The now-removed packages, which were discovered by Phylum between December 22 and December 31, 2022, include pyrologin, easytimestamp, discorder, discord-dev,, and pythonstyles.

The malicious code, as is increasingly the case, is concealed in the setup script ( of these libraries, meaning running a “pip install” command is enough to activate the malware deployment process.

The malware is designed to launch a PowerShell script that retrieves a ZIP archive file, install invasive dependencies such as pynput, pydirectinput, and pyscreenshot, and run a Visual Basic Script extracted from the archive to execute more PowerShell code.

“These libraries allow one to control and monitor mouse and keyboard input and capture screen contents,” Phylum said in a technical report published last week.

The rogue packages are also capable of harvesting cookies, saved passwords, and cryptocurrency wallet data from Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, Opera GX, and Vivaldi browsers.

images from Hacker News