Find notable cyber news and cases, enriched with sources, timelines, and signals.

Spellcheckerpy and spellcheckpy PyPI RAT delivery activity

Malware Activity
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

spellcheckerpy and spellcheckpy on PyPI were found delivering a hidden Python remote access trojan (RAT), turning a spellchecker lure into a malware dropper. The packages were collectively downloaded a little over 1,000 times before removal, and the malicious behavior was set to trigger when SpellChecker is imported. The downloader reached out to updatenet[.]work to fetch the second-stage RAT, making the packages a live supply-chain malware threat rather than a benign typo-squatting nuisance.

Related Happenings

Operation Navy Ghost PyPI supply-chain campaign

Campaign
H score26 First: 01.07.2026 00:02 Last: 01.07.2026 00:02 Sources 1

About this happening: The **Operation Navy Ghost** campaign has targeted **Python developers** building **Telegram bots** through trojanized **Pyrogram forks**, creating a supply-chain path to compromi...

Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials

Campaign
H score56 First: 12.05.2026 14:29 Last: 12.05.2026 14:29 Sources 1

About this happening: The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
H score68 First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...

Latest development: 09.06.2026 18:42

On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.

Axios package cross-platform RAT delivery

Malware Activity
H score37 First: 31.03.2026 16:53 Last: 31.03.2026 16:53 Sources 1

About this happening: A **malicious Axios package payload** now delivers a **remote access trojan** to **Windows, macOS, and Linux** hosts, creating cross-platform compromise risk. The infection begins...

Telnyx package hit by network compromise

Incident
H score19 First: 27.03.2026 23:13 Last: 27.03.2026 23:13 Sources 1

About this happening: The **Telnyx package** on **PyPI** was **compromised**, and malicious releases began executing at import, putting downstream developers at risk of secret theft. The bad uploads in...

Timeline

  1. 28.01.2026 11:30 1 articles · 5mo ago

    spellcheckpy v1.2.0 activates hidden RAT execution

    Technical Analysis Update

    spellcheckpy version 1.2.0 added an obfuscated execution trigger that fires when SpellChecker is imported, converting a previously dormant malicious payload into an active downloader capable of running a Python RAT hidden in the package.

    Show sources
  2. 28.01.2026 11:30 2 articles · 5mo ago

    PyPI spellchecker packages disclosed as RAT delivery malware

    Initial Disclosure

    Researchers identified spellcheckerpy and spellcheckpy on PyPI as malicious spellcheckers that hid a base64-encoded Python RAT downloader inside resources/eu.json.gz from legitimate pyspellchecker dictionary data; the packages were collectively downloaded a little over 1,000 times before removal.

    Show sources