Spellcheckerpy and spellcheckpy PyPI RAT delivery activity
Malware Activity
Summary
Hide ▲
Show ▼
spellcheckerpy and spellcheckpy on PyPI were found delivering a hidden Python remote access trojan (RAT), turning a spellchecker lure into a malware dropper. The packages were collectively downloaded a little over 1,000 times before removal, and the malicious behavior was set to trigger when SpellChecker is imported. The downloader reached out to updatenet[.]work to fetch the second-stage RAT, making the packages a live supply-chain malware threat rather than a benign typo-squatting nuisance.
Related Happenings
Operation Navy Ghost PyPI supply-chain campaign
Campaign
H score26
First: 01.07.2026 00:02
Last: 01.07.2026 00:02
Sources 1
About this happening:
The **Operation Navy Ghost** campaign has targeted **Python developers** building **Telegram bots** through trojanized **Pyrogram forks**, creating a supply-chain path to compromi...
Operation Navy Ghost PyPI supply-chain campaign
CampaignAbout this happening: The **Operation Navy Ghost** campaign has targeted **Python developers** building **Telegram bots** through trojanized **Pyrogram forks**, creating a supply-chain path to compromi...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
Campaign
H score56
First: 12.05.2026 14:29
Last: 12.05.2026 14:29
Sources 1
About this happening:
The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
CampaignAbout this happening: The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
H score68
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Latest development: 09.06.2026 18:42
On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.
Axios package cross-platform RAT delivery
Malware Activity
H score37
First: 31.03.2026 16:53
Last: 31.03.2026 16:53
Sources 1
About this happening:
A **malicious Axios package payload** now delivers a **remote access trojan** to **Windows, macOS, and Linux** hosts, creating cross-platform compromise risk. The infection begins...
Axios package cross-platform RAT delivery
Malware ActivityAbout this happening: A **malicious Axios package payload** now delivers a **remote access trojan** to **Windows, macOS, and Linux** hosts, creating cross-platform compromise risk. The infection begins...
Telnyx package hit by network compromise
Incident
H score19
First: 27.03.2026 23:13
Last: 27.03.2026 23:13
Sources 1
About this happening:
The **Telnyx package** on **PyPI** was **compromised**, and malicious releases began executing at import, putting downstream developers at risk of secret theft. The bad uploads in...
Telnyx package hit by network compromise
IncidentAbout this happening: The **Telnyx package** on **PyPI** was **compromised**, and malicious releases began executing at import, putting downstream developers at risk of secret theft. The bad uploads in...
Timeline
-
28.01.2026 11:30 1 articles · 5mo ago
spellcheckpy v1.2.0 activates hidden RAT execution
Technical Analysis Updatespellcheckpy version 1.2.0 added an obfuscated execution trigger that fires when SpellChecker is imported, converting a previously dormant malicious payload into an active downloader capable of running a Python RAT hidden in the package.
Show sources
- Fake Python Spellchecker Packages on PyPI Delivered Hidden Remote Access Trojan — thehackernews.com — 28.01.2026 11:30
-
28.01.2026 11:30 2 articles · 5mo ago
PyPI spellchecker packages disclosed as RAT delivery malware
Initial DisclosureResearchers identified spellcheckerpy and spellcheckpy on PyPI as malicious spellcheckers that hid a base64-encoded Python RAT downloader inside resources/eu.json.gz from legitimate pyspellchecker dictionary data; the packages were collectively downloaded a little over 1,000 times before removal.
Show sources
- Fake Python Spellchecker Packages on PyPI Delivered Hidden Remote Access Trojan — thehackernews.com — 28.01.2026 11:30
- Fake Python Spellchecker Packages on PyPI Delivered Hidden Remote Access Trojan — thehackernews.com — 28.01.2026 11:30