""Hidden inside the Basque language dictionary file was a base64-encoded payload that downloads a full-featured Python RAT," Aikido researcher Charlie Eriksen said. "The attacker published three 'dormant' versions first, payload present, trigger absent, then flipped the switch with spellcheckpy v1.2.0, adding an obfuscated execution trigger that fires the moment you import SpellChecker." Unlike other packages that conceal the malicious functionality within "__init__.py" scripts, the threat actor behind the campaign has been found to add the payload inside a file named "resources/eu.json.gz" that contains Basque word frequencies from the legitimate pyspellchecker package."
"While the function looks straightforward and harmless, the malicious behavior is triggered when the archive file is extracted using the test_file() function with the parameters: test_file("eu", "utf-8", "spellchecker"), causing it to retrieve a Base64-encoded downloader hidden in the dictionary under a key called "spellchecker." Interestingly, the first three versions of the package only fetched and decoded the payload, but never executed it. However, that changed with the release of spellcheckpy version 1.2.0, published on January 21, 2026, when it gained the ability to run the payload as well."
Researchers found two malicious PyPI packages named spellcheckerpy and spellcheckpy that were downloaded slightly over 1,000 times before removal. The payload was embedded as a base64-encoded downloader inside a Basque language dictionary archive at resources/eu.json.gz. Extraction via test_file("eu", "utf-8", "spellchecker") triggers retrieval of the hidden downloader from the dictionary key "spellchecker." Initial releases fetched and decoded the payload without executing it; spellcheckpy v1.2.0, published January 21, 2026, added an obfuscated trigger that executes the payload. The first-stage downloader retrieves a Python RAT capable of host fingerprinting and command execution.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]