Fake Python Spellchecker Packages on PyPI Delivered Hidden Remote Access Trojan

Cybersecurity researchers have uncovered a sophisticated supply chain attack targeting Python developers through malicious packages disguised as legitimate spellchecking tools. The packages, named spellcheckerpy and spellcheckpy, were discovered on the Python Package Index (PyPI) repository and collectively downloaded over 1,000 times before being removed.

Hidden Payload in Basque Dictionary

The attack employed an unusually clever technique to conceal its malicious functionality. Rather than hiding the code in typical locations like __init__.py scripts, the threat actor embedded the payload within a file called resources/eu.json.gz that contained Basque word frequencies from the legitimate pyspellchecker package.

"Hidden inside the Basque language dictionary file was a base64-encoded payload that downloads a full-featured Python RAT," explained Charlie Eriksen, a researcher at Aikido. This approach allowed the package to appear completely legitimate during initial inspection.

Dormant Versions Followed by Activation

What makes this attack particularly concerning is its multi-stage deployment strategy. The attacker first published three "dormant" versions of the package that contained the payload but lacked the execution trigger. These versions were designed to establish legitimacy and avoid detection.

However, with the release of spellcheckpy v1.2.0 on January 21, 2026, the attacker "flipped the switch" by adding an obfuscated execution trigger. This trigger activates the moment a user imports the SpellChecker class, causing the package to extract the Basque dictionary archive using the test_file() function with specific parameters.

Once triggered, the package retrieves a Base64-encoded downloader hidden in the dictionary under a key called "spellchecker." This downloader then fetches a Python-based remote access trojan from the domain updatenet[.]work.

Capabilities of the Remote Access Trojan

The RAT delivered by these malicious packages is capable of comprehensive system compromise:

• Fingerprinting the compromised host to gather system information
• Parsing incoming commands from the command-and-control server
• Executing arbitrary commands on the infected system

The command-and-control infrastructure uses IP address 172.86.73[.]139, managed by RouterHosting LLC (also known as Cloudzy). This hosting provider has previously been associated with services used by nation-state groups, raising concerns about the sophistication and potential backing of this operation.

Connection to Previous Attacks

This is not an isolated incident. In November 2025, security firm HelixGuard discovered a similar malicious package named "spellcheckers" that also delivered a remote access trojan. The striking similarities between these attacks suggest they may be the work of the same threat actor, indicating an ongoing campaign targeting the Python ecosystem.

Broader Context: NPM Attacks and AI-Related Threats

The Python spellchecker attacks are part of a larger pattern of supply chain compromises. Security researchers have also identified several malicious npm packages designed to facilitate data theft and target cryptocurrency wallets:

• flockiali (versions 1.2.3-1.2.6)
• opresc (1.0.0)
• prndn (1.0.0)
• oprnm (1.0.0)
• operni

These packages contain JavaScript files that serve fake Microsoft-branded login screens as part of targeted spear-phishing campaigns against employees at industrial and energy companies in France, Germany, Spain, the UAE, and the U.S.

Another malicious npm package, ansi-universal-ui (versions 1.3.5 through 1.4.1), masquerades as a UI component library but deploys a Python-based stealer called G_Wagon. This malware exfiltrates web browser credentials, cryptocurrency wallets, cloud credentials, and Discord tokens to an Appwrite storage bucket.

The Emerging Threat of Slopsquatting

Adding to these concerns, Aikido has highlighted the emerging threat of "slopsquatting," where AI-powered agents can hallucinate non-existent packages that threat actors can then claim and populate with malicious code.

In one documented case, a fictitious npm package named "react-codeshift" was referenced by 237 GitHub repositories after being invented by a large language model in mid-October 2025. Some repositories even instructed AI agents to install this non-existent package.

"How did it spread to 237 repos? Agent skill files. Copy-pasted, forked, translated into Japanese, never once verified," Eriksen noted. "Skills are the new code. They don't look like it. They're Markdown and YAML and friendly instructions. But they're executable. AI agents follow them without asking, 'Does this package actually exist?'"

This phenomenon represents a new attack vector where the automation tools designed to improve developer productivity could inadvertently introduce malicious dependencies into software projects.

Protection and Detection

For developers and organizations using Python packages, several protective measures are recommended:

1. Verify package sources before installation, especially for packages with similar names to popular ones
2. Monitor package downloads and investigate unusual activity
3. Use security scanning tools that can detect obfuscated code and suspicious dependencies
4. Implement dependency management policies that restrict installation of packages from unverified sources
5. Keep security tools updated to detect the latest attack patterns

The discovery of these malicious packages underscores the critical importance of supply chain security in modern software development. As attackers become more sophisticated in their techniques, developers must remain vigilant about the packages they incorporate into their projects.

The incident serves as a stark reminder that even popular, trusted repositories like PyPI can harbor malicious packages, and that the consequences of installing compromised dependencies can be severe, ranging from data theft to complete system compromise.