Malicious PyPI Packages deepseeek and deepseekai Target Developers

Summary

The Supply Chain Security team of the Threat Intelligence department at Positive Technologies Expert Security Center (PT ESC) identified and mitigated a malicious campaign targeting PyPI, the popular Python package repository. The attack targeted developers, ML engineers, and AI enthusiasts by disguising malicious packages—deepseeek and deepseekai—as legitimate integrations for DeepSeek, a trending AI tool.

These packages, uploaded on January 29, 2025, contained scripts designed to steal environment variables that often hold sensitive credentials (e.g., API keys and database access details). The stolen data was transmitted to a command-and-control server hosted on Pipedream, an integration platform. Notably, the malicious script bore signs of being AI-assisted in its development. The PT ESC team swiftly notified PyPI administrators, leading to the quarantine and removal of the packages within an hour of their discovery. However, before deletion, the packages were downloaded 222 times worldwide, posing a potential security risk.

Technical Details

As part of ongoing threat research and monitoring, the Supply Chain Security team from the Threat Intelligence department at Positive Technologies Expert Security Center (PT ESC) identified and stopped a malicious campaign in the Python Package Index (PyPI) repository. This attack targeted developers, machine learning engineers, and AI enthusiasts interested in integrating DeepSeek into their systems.

PyPI serves as the default package repository for widely used package managers, including pip, pipenv, and poetry. On January 29, 2025, a malicious user (bvk), whose account was created in June 2023 but had no prior activity, uploaded two harmful packages: deepseeek and deepseekai.

These packages contained functions designed to gather system and user data and steal environment variables. Environment variables often store sensitive credentials, such as API keys, database login details, and access permissions for infrastructure resources.

The malicious payload was triggered when users ran deepseeek or deepseekai commands in the command-line interface. The attacker used Pipedream, a developer-focused integration platform, as a command-and-control (C2) server to receive the stolen data. Notably, analysis of the script revealed characteristics indicative of AI-assisted code generation, with automated comments explaining sections of the script.

PT ESC promptly reported the malicious packages to PyPI administrators, who have since removed them from the repository. Despite the swift response, the packages were downloaded 36 times via the pip package manager and Bandersnatch mirroring tool and an additional 186 times through browsers, the requests library, and other methods.

Attack timeline

Date & Time (UTC+0)	Event Description
January 29, 2025, 15:52:58	The deepseeek 0.0.8 package is uploaded to PyPI.
January 29, 2025, 16:13:10	The deepseekai 0.0.8 package is published on PyPI.
January 29, 2025, 16:21:32	Upon detection, both packages are quarantined and blocked from downloads via package manager
January 29, 2025, 16:41:14	PyPI administrators remove the deepseeek package and confirm the action with PT ESC
January 29, 2025, 16:42:01	PyPI administrators delete the deepseekai package and notify PT ESC.

The figure below illustrates the distribution of downloads for the malicious PyPI packages across different countries and download methods.

Conclusion

The discovery and removal of the malicious deepseeek and deepseekai packages highlight the constant threats facing open-source ecosystems like PyPI. This incident reinforces the importance of vigilant monitoring, proactive threat detection, and quick response mechanisms in preventing potential supply chain attacks. While the attack was contained swiftly, the fact that the packages were downloaded over 220 times demonstrates how cybercriminals exploit emerging technologies and developer trust. The use of AI-assisted coding in the malicious scripts further underscores how attackers are leveraging modern tools to enhance their techniques.