Malicious Python Spellchecker Packages on PyPI Distributed Remote Access Trojan

First reported

28.01.2026 11:30

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Two malicious Python packages, spellcheckerpy and spellcheckpy, were discovered on PyPI, masquerading as spellcheckers but delivering a remote access trojan (RAT). The packages were downloaded over 1,000 times before removal. The RAT was hidden in a Basque language dictionary file and triggered upon importing the SpellChecker module. The campaign is linked to a domain associated with a hosting provider known for serving nation-state groups.

Timeline

28.01.2026 11:30 1 articles · 23h ago

Malicious Python Spellchecker Packages on PyPI Distributed Remote Access Trojan
Two malicious Python packages, spellcheckerpy and spellcheckpy, were discovered on PyPI, masquerading as spellcheckers but delivering a remote access trojan (RAT). The packages were downloaded over 1,000 times before removal. The RAT was hidden in a Basque language dictionary file and triggered upon importing the SpellChecker module. The campaign is linked to a domain associated with a hosting provider known for serving nation-state groups.
Show sources

Fake Python Spellchecker Packages on PyPI Delivered Hidden Remote Access Trojan — thehackernews.com — 28.01.2026 11:30
Open in new tab

Information Snippets

The malicious packages spellcheckerpy and spellcheckpy were downloaded over 1,000 times before removal.
First reported: 28.01.2026 11:30

1 source, 1 article
Show sources
- Fake Python Spellchecker Packages on PyPI Delivered Hidden Remote Access Trojan — thehackernews.com — 28.01.2026 11:30
The RAT was hidden in a Basque language dictionary file named 'resources/eu.json.gz'.
First reported: 28.01.2026 11:30

1 source, 1 article
Show sources
- Fake Python Spellchecker Packages on PyPI Delivered Hidden Remote Access Trojan — thehackernews.com — 28.01.2026 11:30
The payload was triggered by the test_file() function with specific parameters.
First reported: 28.01.2026 11:30

1 source, 1 article
Show sources
- Fake Python Spellchecker Packages on PyPI Delivered Hidden Remote Access Trojan — thehackernews.com — 28.01.2026 11:30
The RAT was capable of fingerprinting the compromised host and executing commands.
First reported: 28.01.2026 11:30

1 source, 1 article
Show sources
- Fake Python Spellchecker Packages on PyPI Delivered Hidden Remote Access Trojan — thehackernews.com — 28.01.2026 11:30
The domain 'updatenet[.]work' is associated with an IP address managed by RouterHosting LLC, a hosting provider linked to nation-state groups.
First reported: 28.01.2026 11:30

1 source, 1 article
Show sources
- Fake Python Spellchecker Packages on PyPI Delivered Hidden Remote Access Trojan — thehackernews.com — 28.01.2026 11:30
The campaign is suspected to be the work of the same threat actor behind a similar attack in November 2025.
First reported: 28.01.2026 11:30

1 source, 1 article
Show sources
- Fake Python Spellchecker Packages on PyPI Delivered Hidden Remote Access Trojan — thehackernews.com — 28.01.2026 11:30