Cyber Security News

North Korea’s Hacker Group Deploys Malicious Version of Python Package in PyPI Repository

ReversingLabs spotted “VMConnect” in early August, a malicious supply chain campaign with two dozen rogue Python packages on PyPI.

It’s been observed that these packages mimicked the following known open-source Python tools:-

  • vConnector
  • eth-tester
  • Databases

Cybersecurity researchers at ReversingLabs recently identified that a North Korean hacker group is actively deploying malicious versions of Python Packages in the PyPI repository.

The security analysts analyzed all the malicious packages, and after successfully decrypting the malicious packages, they linked their roots to Labyrinth Chollima, a branch of the renowned North Korean state-sponsored group Lazarus.

Recent years witnessed malicious actors imitating open-source packages, using tactics like typosquatting to trick busy developers into installing malware.

Malicious packages

Here below, we have mentioned all the malicious packages that the security experts identified:-

  • tablediter (736 downloads)
  • request-plus (43 downloads)
  • requestspro (341 downloads)

The first of the three new packages pretends to be a table editing tool, while the others imitate the ‘requests’ Python library, adding ‘plus’ and ‘pro’ to seem like enhanced legitimate versions.

Malicious Python Package in PyPI Repository

The malicious actors used evasion tactics like typosquatting and mimicked the ‘requests’ package, copying its description and files without any additions.

The malicious packages in the “” file were only altered and modified to launch a thread executing a function from the “” file after the addition of a few lines of code.

The file was altered with malicious functions to gather machine data, sending it via POST to a C2 server URL. It then retrieves a token via a GET HTTP request to another C2 server URL.

Code for communication with C2 server (Source – Reversing Labs)

The infected host receives a double-encrypted Python module with execution parameters, decoding it and downloading the next malware stage from a provided URL.

Similar to the previous VMConnect campaign, the C2 server waited for suitable targets, withholding additional commands, making campaign assessment challenging.

While investigating VMConnect, ReversingLabs aimed to connect it with other malware campaigns, uncovering hints linking it to Lazarus Group, a North Korean APT group.

Further investigation found the py_QRcode package mentioned in a July 2023 JPCERT report (, but it was never on PyPI. This raises questions about how the malware reached victims despite being tied to this package.

Code similarities between VMConnect and JPCERT/CC findings link both to the Lazarus Group, confirming North Korean state sponsorship.


Command and control (C2) domains and IP address:

  • packages-api.test

PyPI packages:

PyPI packages (Source – Reversing Labs)

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Defend Ransomware Attacks With Top Effective Proactive Measures in 2024

We're currently living in an age where digital threats loom large. Among these, ransomware has…

45 mins ago

GoTitan Botnet Actively Exploiting Apache ActiveMQ Vulnerability

Attackers are exploiting the recently discovered critical security vulnerability tracked as (CVE-2023-46604) affecting Apache ActiveMQ…

17 hours ago

Cybercriminals are Showing Hesitation to Utilize AI When Executing Cyber Attacks

Media reports highlight the sale of LLMs like WormGPT and FraudGPT on underground forums. Fears…

18 hours ago

Vigil: Open-source Security Scanner for LLM Models Like ChatGPT

An open-source security scanner, developed by Git Hub user Adam Swanda, was released to explore…

18 hours ago

Slovenia’s Biggest Power Provider has Suffered a Cyberattack

One of Slovenia's major power providers, HSE, has recently fallen victim to a significant cyberattack.…

19 hours ago

Genesis Market Technique: Hackers Exploited Node.js and EV Certificates

In the labyrinthine landscape of cyber threats, the Trend Micro Managed XDR team has uncovered…

21 hours ago