Cybercriminals have infiltrated PyPI with fake DeepSeek AI packages, 'deepseeek' and 'deepseekai,' which are actually info stealers. Developers, beware, and always verify the authenticity of packages before installation!
Key takeaways:
🕵️ Malicious Packages: Two packages, 'deepseeek' and 'deepseekai', were found on PyPI. They impersonate tools for the popular DeepSeek AI platform but are, in fact, information stealers.
🚫 Data Theft: Once installed, these packages steal sensitive information such as API keys, database credentials, and permissions, posing a significant security risk to users.
🕒 Recent Development: The malicious packages were uploaded on January 29, 2025, and although PyPI removed them, they managed to accumulate 222 downloads, indicating potential exposure.
🔍 Detection: Positive Technologies researchers discovered the attack and reported the issue to PyPI, which removed the packages.
🛡️ Security Measures: This incident underscores the need for developers to use package verification tools, maintain up-to-date security practices, and perhaps use package managers with built-in security checks.
iocs.txt: List of all Indicators of Compromise (IOCs) in the article.network-iocs.txt: List of all network IOCs in the article.malicious-packages.txt: List of all malicious packages in the article.
Note
Use the following scripts in threat-hunting-scripts to help you hunt:
verify-iocs-vt.py: Verify IOCs using VirusTotal Community API.iocs-to-cs.py: Upload IOCs to CrowdStrike Falcon IOC Management for detection and blocking.