THREAT OPS › Threat News › The serpent’s tongue: Luring the Python out of its den
The serpent’s tongue: Luring the Python out of its den
<ul><li>Python's popularity, readable syntax, and extensive third-party library ecosystem make it an attractive target for threat actors seeking to compromise developer devices and infrastructure.  </li><li>Malicious packages and supply-chain attacks are increasingly common, exploiting the trust built into Python's packaging ecosystem to execute payloads at the moment of instal
MITRE ATT&CK techniques
- VulnerabilitiesT1588.006
- Supply Chain CompromiseT1195
- Vulnerability ScanningT1595.002
- Code RepositoriesT1593.003
- Code RepositoriesT1213.003
- Malicious PackageAML.T0011.001
- Code RepositoriesAML.T0095.000
Indicators of compromise
- https://survey.stackoverflow.co/2025/technology#most-popular-technologies-language-languageurl
- https://pypistats.org/packages/__all__url
- https://github.blog/security/supply-chain-security/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware/url
- https://www.wired.com/story/teampcp-software-supply-chain-attack-spree-github/url
- https://pypi.org/pypi/<package-name>/json”url
- https://packaging.python.org/en/latest/specifications/binary-distribution-format/url
- https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-reporturl
- https://whiteintel.io/blog/infostealer-lifecycle-48-hoursurl
- https://docs.python.org/3.11/distutils/apiref.html#module-distutils.command.installurl
- https://www.fortinet.com/blog/threat-research/fortiguard-ai-detects-malicious-packages-in-pypiurl
- https://www.endorlabs.com/learn/teampcp-isnt-doneurl
- https://pypi.org/project/hatchling/url
- https://docs.python.org/3/library/site.htmlurl
- https://socprime.com/active-threats/vipertunnel-python-backdoor-analysis/url
- https://www.qualys.com/2024/11/19/needrestart/needrestart.txturl
- https://snyk.io/blog/lightning-pypi-compromise-bun-based-credential-stealer/url
- https://checkmarx.com/blog/this-new-supply-chain-attack-technique-can-trojanize-all-your-cli-commands/url
- https://pypi.org/project/pip-audit/url
- https://bernat.tech/posts/securing-python-supply-chain/url
- https://docs.astral.sh/uv/reference/cli/#uv-run--exclude-newerurl
- storage.ghost.iodomain
- files.pythonhosted.orgdomain