Headline
AI Malware Dressed Up as DeepSeek Packages Lurk in PyPi
Adversaries looking to ride the DeepSeek interest wave are taking advantage of developers in a rush to deploy the new technology, by using AI-generated malware against them.
Source: ifeelstock via Alamy Stock Photo
Researchers have found malicious DeepSeek-impersonating packages planted in the Python Package Index (PyPi); the code is actually loaded with infostealers. Experts warn that’s probably not the only platform loaded with fake, malicious DeepSeek packages, and that developers should proceed with care.
Researchers with Positive Technologies discovered the malicious packages, labeled “deepseekai” and “deepseeek,” trying to trick developers into thinking they were legit.
“The attack targeted developers, machine learning [ML] engineers, and ordinary AI enthusiasts who might be interested in integrating DeepSeek into their systems,” the Positive Technologies researchers wrote in an analysis.
The account behind the attack, “bvk,” was created in June 2023 and sat dormant until the campaign sprang to life on Jan. 29, according to the report. When executed, the researchers noted both “deepseeek” and “deepseekai” drop infostealers to steal sensitive data, including API keys, database credentials, and permissions.
The malicious PyPi packages have been deleted, but there’s evidence they were downloaded 36 times using the pip package manager and the bandersnatch mirroring tool, and 186 times using the browser, the researchers reported.
“Sometimes API keys aren’t leaked, they’re just plain stolen,” Tim Erlin, vice president of product at Wallarm says. “This incident is a good example of attackers taking advantage of the prevailing news cycle. Anytime you’re doing something popular, whether clicking on a link or installing a PyPi package, it’s best to approach the task with a healthy dose of skepticism.”
Related:’Constitutional Classifiers’ Technique Mitigates GenAI Jailbreaks
That mindset can help developers avoid making similar cybersecurity slip-ups, according to Mike McGuire, senior security solutions manager with Black Duck.
“In their eagerness to leverage DeepSeek in their tasks, many developers missed the ‘red flag’ that they were downloading packages from an account with a limited, poor reputation, and had their environment variables and secrets compromised as a result,” McGuire says.
Ironically given how advanced DeepSeek’s capabilities are touted to be, the attack itself was a fairly low-tech affair, Michael Lieberman, CTO at Kusari, notes.
“Typosquatting attacks are popular because they work,” Kusari points out. “It’s easy for a developer to mistype a word or use something with a similar-sounding name and suddenly their application is pulling in malicious code. Popular or trendy technologies are at particular risk since the pool of potential victims is larger.”
Related:DeepSeek Jailbreak Reveals Its Entire System Prompt
Adversaries Using AI to Write Code Faster Too
In a novel twist, the researchers found evidence the threat actors used AI to write the malicious code.
“There are clear indications that the compromised code was written with AI assistance, providing a real-world example of AI being used for malicious intent,” Wallarm’s Erlin says.
Erlin adds that developers should expect similar malicious packages to be scattered among various platforms.
“Developers, with malintent or not, are heavily invested in using AI to be more efficient.” he adds. “AI lets developers write more code, faster. We should expect to see the volume of malicious code expand at the same rate as code in general.”
To protect their environments from these threats, Raj Mallempati, CEO of BlueFlag Security, says developers need to implement strong security practices throughout the software development lifecycle (SDLC). That means using software composition analysis (SCA) tools, as well as automated vulnerability scanning, limiting the use of unverified packages in developer environments, and threat intelligence monitoring.
“This recent incident underscores the need for developers to specifically protect against threats like OSS typosquatting,” Mallempati explains. “Double checking package names and verifying package sources that come from DeepSeek will be key here. As well, developers should enable dependency scanning tools like Github dependabot to ensure they are not downloading malicious packages.”
Related:Code-Scanning Tool’s License at Heart of Security Breakup
About the Author
Dark Reading
Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.