Hackers Deploy Fake DeepSeek AI Tools to Steal Developer Credentials on PyPI

DeepSeek Impersonators Target Developers with Malicious PyPI Packages

Two malicious packages masquerading as DeepSeek AI development tools have been discovered on the Python Package Index (PyPI). Named “deepseeek” and “deepseekai,” these packages were designed to steal sensitive information from unsuspecting developers.

The malware campaign, identified by Positive Technologies, utilized an account created in June 2023 to upload the packages on January 29, 2025. Once installed, the malicious code would:

– Steal user and system data
– Capture environment variables
– Collect API keys and database credentials
– Harvest infrastructure access tokens
– Exfiltrate data to a C2 server via Pipedream

Impact and Distribution:
– 222 total downloads
– 117 downloads from the United States
– 36 downloads from China
– Additional downloads from Russia, Germany, Hong Kong, and Canada

PyPI has since quarantined and removed both packages. Affected developers are advised to:
– Rotate all API keys
– Change authentication tokens and passwords
– Verify cloud service security
– Check for potential unauthorized access

This incident highlights the ongoing security risks in public package repositories and the importance of verifying package authenticity before installation.

Keywords: malicious PyPI packages, DeepSeek impersonation, Python package security, software supply chain attacks, API key theft, package repository threats

Share This Article

Hackers Deploy Fake DeepSeek AI Tools to Steal Developer Credentials on PyPI

Related Articles

Urgent Alert: Booking.com Phishing Scam Uses “ClickFix” Trick to Deploy Dangerous Malware Against Hospitality Workers

Urgent Alert: Critical FreeType Vulnerability Actively Exploited in the Wild – What You Need to Know

Alert: Medusa Ransomware Strikes Over 300 U.S. Critical Infrastructure Organizations

Quick Links

Company

Get In Touch