Cyber Security / AI & Policy

The PyPI Cloud Credential Harvesting Attack: What Every CTO Must Do RIGHT NOW

- by Ansari Alfaiz

On November 2, 2025, security firm ReversingLabs uncovered a massive, coordinated supply chain attack targeting the Python Package Index (PyPI), the default software repository for the Python community. This was not a simple malware infection; it was a sophisticated, multi-month campaign designed for one purpose: to steal cloud credentials from developers and use them to compromise enterprise cloud environments.mixmode

The attack involved 20 malicious Python packages that masqueraded as legitimate cloud utilities, tricking developers into installing them. These packages, with deceptive names like acloud-client and enumer-iam, were downloaded over 14,100 times before detection. For three months, they silently harvested AWS, Alibaba, and Tencent Cloud credentials from developer environments—often the least monitored and most trusted part of an organization’s infrastructure.mixmode

The core problem for every CTO is that your development pipeline has likely been compromised. The trust your developers place in open-source repositories has been weaponized against you. This is an urgent threat that requires immediate action.

A security diagram illustrating the PyPI supply chain attack vector where malicious Python packages steal developer AWS credentials.

Anatomy of a Sophisticated Supply Chain Attack

This PyPI attack succeeded because it was meticulously engineered to evade both human suspicion and automated security checks.

Attack ComponentThe Tactic UsedWhy It Was Effective
Social EngineeringPackages were given plausible names like acloud-client, enumer-iam, and snapshot-photo mixmode​.Developers, looking for a simple utility, would see a name that matched their needs and install it without a second thought. This is a classic typosquatting and name-confusion tactic checkmarx​.
CamouflageThe packages included basic, legitimate functionality. For example, snapshot-photo might actually create a simple backup file.This allowed the packages to pass superficial testing. A developer running a quick check would see the package “work” as expected, unaware of the malicious code hidden within.
Credential HarvestingThe malware was designed to be a silent infostealer. It systematically searched developer machines for AWS credential files (~/.aws/credentials), configuration files (~/.aws/config), and environment variables theregister​.This is the most common way developers store cloud access keys on their local machines, making it a goldmine for attackers.
Stealth & EvasionThe malicious code only activated upon installation, exfiltrated the credentials to a command-and-control (C2) server, and then deleted its logs to cover its tracks kaspersky​.The attack left almost no forensic evidence on the local machine and generated minimal network traffic, allowing it to remain undetected for months.

The attackers understood the developer workflow perfectly. They knew that PyPI has minimal automated security scanning and that developers are often under pressure to install packages quickly to solve a problem. They exploited this trust at scale.bitdefender

The Scale and Impact: A Three-Month Undetected Breach

The most alarming aspect of this attack is the time it remained active before discovery.

  • Initial Upload: The first packages were uploaded to PyPI around August 2025.
  • Active Infection Period: From August to October 2025, over 14,100 downloads occurred across more than 50 countries.mixmode
  • Detection: The campaign was finally discovered by ReversingLabs on November 2, 2025.

For three months, attackers had a steady stream of fresh AWS, Alibaba, and Tencent Cloud credentials. The organizations most at risk are those with less mature security programs: startups, mid-market tech companies, and any organization that uses freelance developers or has a relaxed policy around open-source package installation.

What an Attacker Can Do with Your Stolen AWS Credentials:

  • Data Exfiltration: Access and steal sensitive data from S3 buckets and RDS databases.
  • Resource Hijacking: Spin up powerful EC2 instances for cryptocurrency mining, racking up huge bills on your account.
  • Ransomware & Sabotage: Encrypt or delete your production data and backups.
  • Lateral Movement: Use the compromised credentials to create new IAM users and roles, establishing a persistent foothold in your cloud environment.

This is not just a credential leak; it’s a full-scale cloud security breach waiting to happen.

Your IMMEDIATE Response Checklist

You must assume you are compromised. The following actions need to be taken within the next 24 hours.

Phase 1: Triage & Containment (The Next 4 Hours)

  1. [ ] Isolate Developer Environments: If possible, temporarily restrict network access from developer workstations to production cloud environments.
  2. [ ] Scan for Malicious Packages: Run the command pip list on all developer machines and CI/CD runners. Search for the package names published by ReversingLabs, including acloud-client, enumer-iam, snapshot-photo, and others.
  3. [ ] Force Rotate ALL Cloud Credentials: This is non-negotiable. In your AWS, Alibaba, and Tencent Cloud consoles, immediately expire and revoke ALL existing access keys for developers and service accounts. This will break things, but it’s better than an active breach.
  4. [ ] Alert Key Stakeholders: Notify your security team, CTO, and legal counsel. This is now a formal incident. Our Incident Response Framework Guide can help structure this process.

Phase 2: Investigation (The Next 24 Hours)

  1. [ ] Audit CloudTrail Logs: Scrutinize your AWS CloudTrail logs from August to November 2025. Look for any suspicious API calls originating from unusual IP addresses, especially those related to IAM (CreateUser, CreateAccessKey) or data access (GetObject, ListBuckets).
  2. [ ] Hunt for Unauthorized Resources: Search your cloud environment for any resources you don’t recognize—unauthorized EC2 instances (especially in unused regions), new IAM roles with broad permissions, or unexpected RDS snapshots.
  3. [ ] Check for Data Exfiltration: Analyze S3 access logs and VPC flow logs for any large, unexpected data transfers to unknown IP addresses.

Prevention and Long-Term Hardening

This attack was preventable. The following long-term strategies are now essential for any organization using open-source software.

Control AreaThe ProblemThe Solution
Dependency ManagementDevelopers install packages directly from the public PyPI repository, which is untrusted.Implement a private PyPI mirror (like Artifactory or Nexus). All packages must be scanned and approved before being admitted to your internal repository. Use pinned versions in requirements.txt to prevent unexpected updates.
Credential ManagementDevelopers store long-lived static credentials in plain text files on their laptops.NEVER store credentials in ~/.aws/credentials. Mandate the use of AWS STS temporary credentials (AssumeRole), which expire automatically. Use a secrets management tool like HashiCorp Vault or AWS Secrets Manager.
Monitoring & DetectionThere is no visibility into what packages developers are installing.Implement Software Composition Analysis (SCA) tools to scan your codebase for vulnerable dependencies. Monitor pip install commands and alert on any package not from your private mirror. Enable AWS GuardDuty for threat detection.

This moves your organization from a reactive posture to a proactive one, hardening your software supply chain against the next attack. This is a core component of a modern Continuous Threat Exposure Management (CTEM) program.

Conclusion: The Age of Assumed Trust is Over

The 2025 PyPI attack is a brutal reminder that the open-source software supply chain is a primary battleground for cyber attackers. The convenience of public repositories like PyPI comes at the cost of immense, often invisible, risk. The age of assuming that popular packages are safe is over.

Your response speed in the coming hours will determine whether this incident is a contained security event or a catastrophic breach that results in data loss, financial damage, and reputational ruin.

To learn more about securing your development lifecycle, refer to our Secure Coding Guide for Beginners.

The BC Threat Intelligence Group

SOURCES

  1. https://www.cncf.io/blog/2025/10/30/securing-the-software-supply-chain-how-distroless-containers-defend-against-npm-malware-attacks/
  2. https://www.theregister.com/2025/10/30/phantomraven_npm_malware/
  3. https://www.kaspersky.com/about/press-releases/kaspersky-uncovers-year-long-pypi-supply-chain-attack-using-ai-chatbot-tools-as-lure
  4. https://mixmode.ai/blog/why-the-2025-pypi-attack-signals-a-new-era-in-cloud-risk/
  5. https://www.bitdefender.com/en-us/blog/hotforsecurity/supply-chain-attack-detected-in-pypi-library
  6. https://blog.pypi.org/posts/2024-12-11-ultralytics-attack-analysis/
  7. https://xygeni.io/blog/a-closer-look-at-software-supply-chain-attacks-2025/
  8. https://checkmarx.com/zero-post/python-pypi-supply-chain-attack-colorama/
  9. https://www.zscaler.com/blogs/security-research/malicious-pypi-packages-deliver-silentsync-rat
  10. https://blog.pypi.org/archive/2025/

About Ansari Alfaiz

View all posts by Ansari Alfaiz →