Researchers Uncover Malicious Campaign Targeting PyPI Users with Fake Libraries

Cybersecurity researchers have uncovered a malicious campaign targeting users of the Python Package Index (PyPI) with fake libraries masquerading as "time"-related utilities but containing hidden functionalities to steal sensitive data such as cloud access tokens. Software supply chain security company ReversingLabs identified two sets of packages, totaling 20 packages. These packages were downloaded more than 14,100 times before being removed.