All news with #python tag

ClickFix Trick Drives Rise in CastleLoader Python Loaders

🛡️ Blackpoint researchers have uncovered a campaign that leverages ClickFix social engineering to trick users into running a benign-looking command via the Windows Run dialog. That single action launches a hidden conhost.exe process which fetches a small tar archive, unpacks it into AppData and runs a windowless Python interpreter. The bundled interpreter executes compiled Python bytecode that reconstructs and decrypts CastleLoader shellcode in memory, avoiding disk-based artifacts. Observed staging uses a GoogeBot user agent and familiar /service/download/ paths, linking the activity to the CastleLoader family.

Legacy Python bootstrap scripts enable PyPI takeover risk

🔍 ReversingLabs discovered legacy bootstrap code in Python packages that fetches and executes an installer from the unclaimed domain python-distribute.org. The zc.buildout bootstrap.py pulls distribute_setup.py, and because the domain is for sale an attacker could acquire it and serve malicious payloads. Packages including tornado and slapos.core still contain the script; it targets Python 2 and is not executed automatically during installation, but its presence increases the supply-chain attack surface if developers run it.

Blender model files used to deliver StealC infostealer

⚠️ Researchers at Morphisec observed a Russian-linked campaign using malicious Blender .blend files uploaded to 3D model marketplaces to deliver the StealC V2 infostealer. The embedded Python in the .blend fetches a loader from a Cloudflare Workers domain, which runs a PowerShell script to download two ZIP archives, unpack them into %TEMP%, drop LNK shortcuts into the Startup folder for persistence, and deploy both the StealC payload and an auxiliary Python stealer. Users are advised to disable Blender's Auto Run for Python scripts and treat downloaded 3D assets like executables, testing unknown files in sandboxed environments.

Python WhatsApp Worm Spreads Eternidade Stealer Across Brazil

📲 Trustwave SpiderLabs describes a Python-based WhatsApp worm that propagates a Delphi credential stealer named Eternidade Stealer across Brazilian devices. The campaign begins with an obfuscated Visual Basic Script dropper that installs both a Python WPPConnect-based propagator and an MSI/AutoIt installer which injects the stealer into svchost.exe. Operators use IMAP to fetch dynamic C2 addresses and apply Brazilian Portuguese geofencing to limit infections to the target region.

Cloudflare Introduces Python Workflows in Beta Release

🐍 Cloudflare has announced Python Workflows in beta, enabling developers to orchestrate multi-step, durable applications on Workers using Python. The feature aims for feature parity with the existing JavaScript SDK while adapting APIs to Pythonic idioms—using decorators for step callbacks and snake_case naming for method calls. Under the hood it leverages Pyodide and CPython in the runtime, exposes WorkflowStep as an RPC-backed JsProxy for at-most-once durable execution, and supports DAG-style concurrency via asyncio.gather. Targeted use cases include data pipelines, ML/LLM training loops, and autonomous agents where step-level retries, state persistence, and explicit wait points simplify orchestration.

Python Foundation Rejects $1.5M NSF Grant Over DEI Terms

🛡️ The Python Software Foundation (PSF) withdrew a $1.5 million proposal to the U.S. National Science Foundation after the approved award included conditions that would bar all PSF programs from activities that 'advance or promote diversity, equity, and inclusion.' The funding, under NSF’s Safety, Security, and Privacy of Open Source Ecosystems program, was intended to support automated malware-detection tools for PyPI and to be ported to other package ecosystems. PSF leaders said DEI is central to their mission, creating an unacceptable conflict that led the board to unanimously decline the grant and ask the community for donations and membership support.

Malicious PyPI soopsocks package abused to install backdoor

⚠️ Cybersecurity researchers flagged a malicious PyPI package named soopsocks that claimed to provide a SOCKS5 proxy while delivering stealthy backdoor functionality on Windows. The package, uploaded by user 'soodalpie' on September 26, 2025, had 2,653 downloads before removal and used VBScript or an executable (_AUTORUN.VBS/_AUTORUN.EXE) to bootstrap additional payloads. Analysts at JFrog reported the executable is a compiled Go binary that runs PowerShell, adjusts firewall rules, elevates privileges, performs reconnaissance and exfiltrates data to a hard-coded Discord webhook.