Two malicious packages that pose as spellcheckers but have the ability to distribute a remote access trojan (RAT) have been found by cybersecurity researchers in the Python Package Index (PyPI) repository This article explores spellcheckpy v1 attacker. . The packages, spellcheckerpy and spellcheckpy, were downloaded slightly more than 1,000 times before they were taken down.

Charlie Eriksen, an Aikido researcher, stated that "a base64-encoded payload that downloads a full-featured Python RAT was hidden inside the Basque language dictionary file."

"With spellcheckpy v1.2.0, the attacker flipped the switch, adding an obfuscated execution trigger that fires the moment you import SpellChecker, after first publishing three 'dormant' versions with payload present and trigger absent." The threat actor behind the campaign has been discovered to add the payload inside a file called "resources/eu.json.gz" that contains Basque word frequencies from the authentic pyspellchecker package, in contrast to other packages that hide the malicious functionality within "__init__.py" scripts.

Although the function appears simple and innocuous, when the archive file is extracted using the test_file() function with the parameters test_file ("eu", "utf-8", "spellchecker"), it retrieves a Base64-encoded downloader that is concealed in the dictionary under a key named "spellchecker." It's interesting to note that the first three iterations of the package never executed the payload; instead, they only fetched and decoded it. That was altered, though, when spellcheckpy version 1.2.0 was released on January 21, 2026, and it was now capable of executing the payload.

A downloader that is intended to obtain a Python-based RAT from an external domain ("updatenet[. ]work") is the first step. Incoming commands can be parsed and executed, and the compromised host can be fingerprinted.

The IP address 172.86.73[. ]139, which is managed by RouterHosting LLC (also known as Cloudzy), a hosting company with a track record of providing its services to nation-state organizations, is linked to the domain, which was registered in late October 2025. Fake Python spell-checking tools have previously been found in PyPI.

HelixGuard claimed to have found a malicious package called "spellcheckers" in November 2025 that had the capacity to retrieve and run a RAT payload. These two sets of attacks are thought to have been carried out by the same threat actor.

The development coincides with the discovery of multiple malicious npm packages to target cryptocurrency wallets and facilitate data theft: flockiali (1.2.3-1.2.6), opresc (1.0.0), prndn (1.0.0), oprnm (1.0.0), and operni. These packages contain a single JavaScript file that, when loaded, serves a fake Microsoft-branded login screen as part of a targeted spear-phishing campaign that targets employees at particular industrial and energy companies in France, Germany, Spain, the United Arab Emirates, and the United Arab Emirates. America.

with malicious links ansi-universal-ui (1.3.5, 1.3.6, 1.3.7, 1.4.0, 1.4.1), which poses as a UI component library but actually launches G_Wagon, a Python-based stealer that exfiltrates Discord tokens, web browser credentials, cryptocurrency wallets, and cloud credentials to an Appwrite storage bucket. The revelation also coincides with Aikido's emphasis on the danger posed by slopsquatting, in which agents driven by artificial intelligence (AI) may perceive packages that don't exist, which a threat actor may then claim and use to send malicious code to users downstream.

A fictitious npm package called "react-codeshift" was discovered to be referenced by 237 GitHub repositories since it was composed of a large language model in mid-October 2025. Some of these repositories even instructed AI agents to install it, according to one instance that the supply chain security company brought to light. "How did it get to 237 repos?

skill files for agents. translated into Japanese, copied and pasted, and never once checked," Eriksen claimed. "The new code is skills. They don't appear to be.

They are YAML, Markdown, and easy-to-follow instructions. However, they can be executed. Without posing the question, "Does this package actually exist?" AI agents follow them.