Security researchers recently uncovered two malicious Python packages on PyPI, spellcheckerpy and spellcheckpy, which disguised themselves as spellcheckers to infect systems with a remote access trojan. Despite being removed, these packages were downloaded over 1,000 times and utilized a clever technique of hiding a base64-encoded downloader within a legitimate-looking Basque dictionary file.

This campaign highlights a sophisticated evolution in supply chain attacks, as the malicious code was only activated in later versions after several dormant releases. The threat is part of a broader trend involving both the hijacking of common library names and the emergence of slopsquatting, where AI agents inadvertently promote non-existent, potentially malicious packages to developers.

The discovery of spellcheckerpy and spellcheckpy reveals a calculated attempt to bypass standard security filters by embedding a remote access trojan within a seemingly benign dictionary file. Researchers found that the payload was tucked away inside a JSON archive containing Basque word frequencies, a deviation from the common practice of hiding scripts in initialization files. For the first several releases, the code remained dormant to avoid detection, but version 1.2.0 introduced an execution trigger that activated as soon as the library was imported. This specific update allowed the package to fetch and run a second-stage downloader from an external domain linked to infrastructure previously used by nation-state actors.

This Python-based malware is designed to fingerprint the host machine and execute commands from a remote server, giving attackers full control over compromised systems. The infrastructure used in this attack, specifically a domain registered in late 2025, suggests a link to previous campaigns involving fake spell-checking tools. The recurring nature of these attacks indicates a persistent threat actor targeting the Python ecosystem by mimicking popular utility libraries. This method exploits the trust developers place in the PyPI repository, as even a small number of downloads can lead to significant corporate breaches if the library is integrated into internal tools.

The threat extends beyond Python, as researchers also identified multiple malicious npm packages targeting specific industries. These packages, such as ansi-universal-ui and others, were found to deploy stealers capable of exfiltrating browser credentials, cryptocurrency wallets, and Discord tokens. In some instances, the packages were used to serve fake login screens to employees at energy and industrial companies across Europe, the Middle East, and the United States. This multi-platform approach demonstrates that attackers are actively diversifying their targets to include high-value corporate and financial assets through deceptive web components.

A new and particularly concerning development in this landscape is the rise of slopsquatting, where AI-powered coding assistants hallucinate non-existent software packages. Security firms have documented cases where large language models suggested a fictitious package called react-codeshift, which was subsequently referenced in hundreds of GitHub repositories. Because AI agents and developers often follow these suggestions without verification, threat actors can pre-emptively register these hallucinated names to distribute malware. This creates a feedback loop where unverified AI instructions become executable vulnerabilities across the global software supply chain.

The rapid spread of these hallucinated references through forked repositories and agent skill files illustrates a fundamental shift in how malicious code is distributed. As AI agents increasingly manage code generation and installation, the traditional boundaries of security verification are being tested by non-traditional file formats like Markdown and YAML. The transition from manual package typosquatting to automated AI-driven hallucinations marks a new frontier for supply chain security. Experts warn that unless verification processes are strictly enforced for AI-generated suggestions, the infrastructure of modern software development remains highly susceptible to these invisible, automated threats.

Source: Fake Python Spellchecker Packages On PyPI Delivered Hidden Remote Trojan