In a recent campaign, a threat actor is actively releasing several malicious packages that are designed to steal credentials, personal information, and cryptocurrency from targeted machines. These malicious packages are found delivering an info-stealing trojan named WASP (or W4SP).

The latest campaign

According to Checkmarx researchers, the latest WASP campaign has features to ensure persistence in a compromised PC and evade cybersecurity tools.
  • The attackers are using polymorphic malware (the payload changes with every installation), steganography to hide code inside packages, reboot persistence, and building a fake GitHub reputation with the Starjacking technique.
  • They are either using already-made user accounts on PyPi and other open-source projects to upload malicious packages, or creating legitimate-looking fake user accounts on Github or Steam while stealing the profile description from popular user accounts.
  • Further, they are creating different and unoccupied package names with slight modifications. So far, according to its Discord server, WASP has infected hundreds of victims.

More about WASP

WASP is an info-stealing malware that steals all the victim’s Discord accounts, passwords, crypto wallets, credit cards, and other interesting files on the victim’s PC.
  • It sends the stolen data back to the attacker through a hard-coded Discord webhook address.
  • WASP operators claim that it is fully undetectable. They are selling it for $20 to other criminals, with payment coming in cryptocurrency or gift cards.

Earlier campaigns

  • Earlier this month, Phylum researchers found that dozens of newly published PyPi packages were delivering WASP Stealer onto Python developer’s machines by hiding malicious code.
  • In addition, Check Point researchers disclosed that several malicious PyPi packages were using image base code obfuscation (steganography) and infecting through open-source projects on Github.

Checkmarx’s recent report connects both of these campaigns to the same attacker. It says the operator is still releasing malicious packages and launching campaigns, just by changing GitHub usernames and package names.


Attacks of this kind are too difficult to stop as whenever the team behind PyPI deletes discovered malicious packages, threat actors quickly maneuver and create a new identity or simply use a different name. The involvement of polymorphic malware highlights the importance of sharing threat intel in the open-source ecosystem to better protect against the growing number of such threats.
Cyware Publisher