Emerging Threat: Malicious Python Package Discovered on PyPI
Cybersecurity experts have recently identified a harmful package on the Python Package Index (PyPI) that masquerades as a tool for creating a SOCKS5 proxy service. However, its deceptive purpose is to install additional malicious payloads onto Windows systems, acting like a stealthy backdoor.
The Soopsocks Package: A Closer Look
This insidious package, named soopsocks, attracted a total of 2,653 downloads before it was removed. The account that uploaded it, created on September 26, 2025, goes by the name “soodalpie.” The timing raises concerns, as the package appeared almost immediately after the account’s creation.
JFrog, a cybersecurity analysis firm, reported that while the package purported to offer proxy capabilities, it engaged in backdoor-like activities specifically targeting Windows systems. The package managed installations using automated methods via VBScript or an executable version.
Technical Malicious Functionality
The executable linked to soopsocks—labeled “_AUTORUN.EXE”—is a Go language compiled file. In addition to its advertised SOCKS5 functionality, this executable has capabilities that include running PowerShell scripts, adjusting firewall configurations, and relaunching itself with elevated administrative permissions.
The functionality doesn’t stop there. It carries out reconnaissance activities to gather system and network data, including checking Internet Explorer’s security settings and noting the Windows installation date, then sending this information to a hard-coded Discord webhook—a method of exfiltration that highlights its potential threat level.
The Role of Visual Basic Scripts
The Visual Basic Script named “_AUTORUN.VBS” accompanies the Python package in versions 0.2.5 and 0.2.6. This script can also execute a PowerShell command that downloads an actual Python binary from an external domain. This ZIP file serves as a cover, containing a batch script that facilitates the installation process through the “pip install” command.
Once executed, the PowerShell script triggers the batch script, pushing the Python package into action. The sequence allows the package to elevate its execution scope—granting administrative privileges. It then modifies firewall settings to permit UDP and TCP traffic over port 1080 and establishes itself as a service, ensuring continuous operation even after system reboots.
Cybersecurity Implications
The soopsocks package is sophisticated in its execution. JFrog noted that while it is cleverly disguised as a useful SOCKS5 proxy, the package exhibits highly sinister behavior, including manipulative firewall rules, requests for elevated permissions, and the use of PowerShell commands. The combination of these factors indicates a high likelihood of malicious intent.
In light of this discovery, concerns related to vulnerabilities within package management systems have intensified. Recent measures by GitHub, in response to increased software supply chain attacks, include a revocation of legacy tokens for npm publishers and revised expiration policies for access tokens—reflecting a growing urgency in strengthening security protocols.
Enhancements in Package Security
To combat emerging threats such as the soopsocks package, new tools are being introduced. Socket, a firm specializing in software supply chain security, has launched a free tool called Socket Firewall. This tool aims to block malicious packages during the installation process across various ecosystems, including npm, Python, and Rust.
The Socket Firewall enhances security by preventing not only direct dependencies but also any transitive dependencies flagged as malicious from being fetched by package managers. By limiting exposure through short-lived tokens and protecting against known threats, developers can significantly strengthen their defenses against future attacks.
Conclusion
As the cybersecurity landscape continues to evolve, the incident with the soopsocks package serves as a reminder of the potential vulnerabilities that linger within package management systems. Adopting stringent security practices, utilizing protective tools, and staying informed can help safeguard developers and users alike from the ever-present risks in software supply chains.
