Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Spellcheckerpy and spellcheckpy PyPI RAT delivery activity

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

spellcheckerpy and spellcheckpy on PyPI were found delivering a hidden Python remote access trojan (RAT), turning a spellchecker lure into a malware dropper. The packages were collectively downloaded a little over 1,000 times before removal, and the malicious behavior was set to trigger when SpellChecker is imported. The downloader reached out to updatenet[.]work to fetch the second-stage RAT, making the packages a live supply-chain malware threat rather than a benign typo-squatting nuisance.

Related Happenings

Axios package cross-platform RAT delivery

Malware Activity
First: 31.03.2026 16:53 Last: 31.03.2026 16:53 Sources 1

About this happening: A **malicious Axios package payload** now delivers a **remote access trojan** to **Windows, macOS, and Linux** hosts, creating cross-platform compromise risk. The infection begins...

Open Happening

Telnyx package hit by network compromise

Incident
First: 27.03.2026 23:13 Last: 27.03.2026 23:13 Sources 1

About this happening: The **Telnyx package** on **PyPI** was **compromised**, and malicious releases began executing at import, putting downstream developers at risk of secret theft. The bad uploads in...

Open Happening

Telnyx Python package hit by data theft breach

Incident
First: 27.03.2026 18:53 Last: 27.03.2026 18:53 Sources 1

About this happening: The **telnyx** Python package was **compromised on PyPI** with **4.87.1** and **4.87.2**, exposing downstream importers to **credential theft** and **data exfiltration**. The mali...

Open Happening

LiteLLM PyPI credential-stealing malware compromise

Malware Activity
First: 25.03.2026 14:00 Last: 25.03.2026 14:00 Sources 1

About this happening: The **LiteLLM** package on **PyPI** was compromised with **credential-stealing malware**, putting downstream environments at risk of secret theft and persistence. Malicious releas...

Open Happening

LiteLLM Python package hit by network compromise linked to TeamPCP

Incident
First: 25.03.2026 00:29 Last: 25.03.2026 00:29 Sources 1

About this happening: The **LiteLLM** Python package was compromised on **PyPI** after attackers published malicious **1.82.7** and **1.82.8** releases, putting downstream installs at risk of **credent...

Open Happening

Timeline

  1. 28.01.2026 11:30 1 articles · 3mo ago

    spellcheckpy v1.2.0 activates hidden RAT execution

    Technical Analysis Update

    spellcheckpy version 1.2.0 added an obfuscated execution trigger that fires when SpellChecker is imported, converting a previously dormant malicious payload into an active downloader capable of running a Python RAT hidden in the package.

    Show sources
    Open in new tab
  2. 28.01.2026 11:30 2 articles · 3mo ago

    PyPI spellchecker packages disclosed as RAT delivery malware

    Initial Disclosure

    Researchers identified spellcheckerpy and spellcheckpy on PyPI as malicious spellcheckers that hid a base64-encoded Python RAT downloader inside resources/eu.json.gz from legitimate pyspellchecker dictionary data; the packages were collectively downloaded a little over 1,000 times before removal.

    Show sources
    Open in new tab