Infostealers spread via malicious DeepSeek-spoofing PyPI packages

BleepingComputer reports that the increasingly popular Chinese generative artificial intelligence platform DeepSeek has been impersonated by two new Python clients on the Python Package Index that spread information-stealing malware.

Execution of the nefarious DeepSeek-spoofing "deepseeek" and "deepseekai" packages enabled the theft of user and system information, as well as database credentials. API keys, and infrastructure access tokens, which were later sent to a Pipedream-hosted command-and-control server, according to a Positive Technologies analysis. "The payload is executed when the user runs the commands deepseeek or deepseekai (depending on the package) in the command-line interface. Environment variables often contain sensitive data required for applications to run, for example, API keys for the S3 storage service, database credentials, and permissions to access other infrastructure resources," said the report. More than 220 developers have already downloaded the malicious packages since being uploaded on Jan. 29, most of which were from the U.S., China, and Russia, noted researchers, who urged the immediate API key, password, and authentication token rotation among those who downloaded the packages.