Malicious DeepSeek Packages Found in Python Package Index (PyPi)
Researchers have discovered malicious DeepSeek-impersonating packages planted in the Python Package Index (PyPi); the code is actually loaded with infostealers. Experts warn that this is probably not the only platform loaded with fake, malicious DeepSeek packages, and that developers should proceed with caution.
Discovery of Malicious Packages
Researchers with Positive Technologies discovered the malicious packages, labeled "deepseekai" and "deepseeek," trying to trick developers into thinking they were legitimate. These packages were found to be masquerading as official DeepSeek packages, highlighting the need for developers to be vigilant when installing packages from third-party sources.
Importance of Strong Security Practices
According to Raj Mallempati, CEO of BlueFlag Security, developers need to implement strong security practices throughout the software development lifecycle (SDLC). This includes using software composition analysis (SCA) tools, as well as automated vulnerability scanning, limiting the use of unverified packages in developer environments, and threat intelligence monitoring.
Protecting Against OSS Typosquatting
Mallempati emphasizes the need for developers to specifically protect against threats like OSS typosquatting. "Double checking package names and verifying package sources that come from DeepSeek will be key here," he explains. Additionally, developers should enable dependency scanning tools like Github Dependabot to ensure they are not downloading malicious packages.
Related Articles
- Code-Scanning Tool’s License at Heart of Security Breakup
Facebook Pixel
