Soopsocks malicious PyPI backdoor proxy activity
Malware Activity
Summary
Hide ▲
Show ▼
The soopsocks package on PyPI was exposed as a malicious Windows backdoor proxy, creating risk for hosts that installed it. The package saw 2,653 downloads before takedown and used VBScript or an executable bootstrap to drop payloads, configure firewall rules, and establish persistence. It also performed reconnaissance and sent data to a hard-coded Discord webhook.
Related Happenings
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware Activity
H score22
First: 18.05.2026 11:57
Last: 18.05.2026 11:57
Sources 1
About this happening:
Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware ActivityAbout this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
H score34
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Latest development: 09.06.2026 18:42
On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.
ZiChatBot PyPI supply-chain malware delivery
Malware Activity
H score22
First: 07.05.2026 12:20
Last: 07.05.2026 12:20
Sources 1
About this happening:
A **PyPI supply-chain attack** used **three packages** to quietly deliver **ZiChatBot**, creating a cross-platform malware risk for **Windows and Linux** installs. The packages we...
ZiChatBot PyPI supply-chain malware delivery
Malware ActivityAbout this happening: A **PyPI supply-chain attack** used **three packages** to quietly deliver **ZiChatBot**, creating a cross-platform malware risk for **Windows and Linux** installs. The packages we...
BufferZoneCorp sleeper-package supply chain campaign
Campaign
H score42
First: 01.05.2026 12:43
Last: 01.05.2026 12:43
Sources 1
About this happening:
The **BufferZoneCorp** software supply chain campaign is pushing **malicious Ruby gems and Go modules** that can steal credentials, tamper with **GitHub Actions**, and persist on...
BufferZoneCorp sleeper-package supply chain campaign
CampaignAbout this happening: The **BufferZoneCorp** software supply chain campaign is pushing **malicious Ruby gems and Go modules** that can steal credentials, tamper with **GitHub Actions**, and persist on...
Lightning PyPI router_runtime.js credential-stealing payload
Malware Activity
H score21
First: 30.04.2026 19:31
Last: 30.04.2026 19:31
Sources 1
About this happening:
The **Lightning** PyPI package was pushed in **malicious versions 2.6.2 and 2.6.3** on **April 30, 2026**, turning a normal install into **credential theft** for **developer and C...
Lightning PyPI router_runtime.js credential-stealing payload
Malware ActivityAbout this happening: The **Lightning** PyPI package was pushed in **malicious versions 2.6.2 and 2.6.3** on **April 30, 2026**, turning a normal install into **credential theft** for **developer and C...
Latest development: 04.05.2026 20:15
Microsoft Threat Intelligence says Defender detected and prevented the malicious `lightning==2.6.3` routine in customer environments, notified the Lightning maintainer, and warned that users who ran `import lightning` may need to rotate exposed secrets, keys, and tokens.
Timeline
-
02.10.2025 16:07 1 articles · 8mo ago
soopsocks uploaded to PyPI on September 26, 2025
Untyped PhaseThe package soopsocks was first uploaded to the Python Package Index by the user account soodalpie on September 26, 2025, the same day the account was created.
Show sources
- Alert: Malicious PyPI Package soopsocks Infects 2,653 Systems Before Takedown — thehackernews.com — 02.10.2025 16:07
-
02.10.2025 16:07 2 articles · 8mo ago
JFrog details malicious Windows behavior in soopsocks
Technical Analysis UpdateJFrog described soopsocks as a deceptive PyPI SOCKS5 proxy package that also acts as a Windows backdoor, using VBScript or a compiled Go executable to run PowerShell, drop additional payloads, set firewall rules, elevate privileges, install as a service, create scheduled-task persistence, perform reconnaissance, and exfiltrate data to a hard-coded Discord webhook. The package had 2,653 downloads before takedown.
Show sources
- Alert: Malicious PyPI Package soopsocks Infects 2,653 Systems Before Takedown — thehackernews.com — 02.10.2025 16:07
- Alert: Malicious PyPI Package soopsocks Infects 2,653 Systems Before Takedown — thehackernews.com — 02.10.2025 16:07