DeepSeek’s popularity exploited to push malicious packages via PyPI
Two malicious packages leveraging the DeepSeek name have been published to the Python Package Index (PyPI) package repository, and in the 30 minutes or so they were up, they have been downloaded 36 times.
The malicious packages
The attack started on January 29, 2025, when an existing account published two packages.
Named deepseeek and deepseekai, the packages were ostensibly client libraries for access to and interacting with the DeepSeek AI API, but they contained functions designed to collect user and computer data, as well as environment variables, which may contain API keys for cloud storage services, database credentials, etc.
The malicious payload used in the packages (Source: Positive Technologies)
“The author of the two packages used Pipedream, an integration platform for developers, as the command-and-control server that receives stolen data,” Positive Technology researchers shared.
The malicious packages have been reported to and quarantined by PyPI administrators less than 30 minutes after the first one was published. Nevertheless, developers’ increased interest into integrating DeepSeek into their systems resulted in 36 downloads from around the world.
“The [malicious] script was written with the help of an AI assistant, which is indicated by the characteristic comments explaining the lines of code,” PT researchers pointed out.
The incident shows that attackers are increasingly leveraging AI tools for creating malicious payloads, and are always trying to piggyback on current trends (i.e., the sudden massive interest in DeepSeek’s AI model).
Developers, beware!
PyPI is used as the default package repository by many popular package managers and, as such, it’s THE place to plant malicious Python packages for maximum effect.
Thanks to the quick discovery of the packages and reaction by the repository’s admins, this attack ended up being “relatively harmless”, but attackers are sure to continue with the same tricks.
“We recommend being careful with newly released packages that pose as wrappers for popular services,” the researchers advised.