Malicious Python Package Quietly Targeted Cloud DevOps with Sophisticated Multi-Stage Infostealer

In the latest reminder of just how vulnerable the open-source ecosystem remains, security researchers have uncovered a stealthy, multi-stage malware campaign that infiltrated the Python Package Index (PyPI). Disguised as a benign extension for a niche sandboxing environment, the malicious package—chimera-sandbox-extensions—was anything but.

The discovery, made by the JFrog Security Research team, exposes an unsettling evolution in the threat landscape: malicious packages that are not just opportunistic, but finely tuned to exploit corporate environments. This isn't your average dependency hijack—it’s targeted espionage disguised as a dev tool.

A Trojan in the Toolbox

Uploaded under the user chimerai, the chimera-sandbox-extensions package masqueraded as an add-on for users working with the Chimera sandbox environment. But once installed, the package triggered a series of covert operations that read more like a cyber-espionage playbook than a rogue script.

At the core of the operation was a domain generation algorithm (DGA) seeded for reproducibility. This allowed the malware to predictably generate a specific list of subdomains under the chimerasandbox.workers.dev domain—each acting as potential command-and-control (C2) endpoints.

Only one of the ten generated domains responded—a tactic often used to foil researchers and sandbox detection tools. If a live domain responded successfully, the package would initiate a handshake, fetch a token, and pull a second-stage Python payload designed for stealthy credential theft.

Not Your Average Infostealer

Unlike traditional info stealers that broadly target personal data, this payload was engineered to exfiltrate high-value corporate secrets. The stolen data included:

• JAMF receipts (commonly used in enterprise Apple device management)

• CI/CD environment variables

• AWS credentials

• Zscaler configuration data

• Git information and host OS details

• External IP and execution context metadata

This granular scope suggests the malware author had a specific class of victim in mind: DevOps teams managing cloud-native infrastructure.

The use of exec() to dynamically load and run malicious Python code from the second stage made the package especially dangerous, as it could mutate or escalate privileges in future payload iterations. Though JFrog's researchers halted the execution chain before observing a third stage, the infrastructure was clearly primed for ongoing attack waves.

Sophistication on the Rise

The packaging was elegant, the execution subtle. This isn’t a one-off fluke—it’s the future shape of supply chain attacks. With initial access gained through an innocent-looking PyPI dependency, the malware deployed targeted reconnaissance, dynamically evaluated the value of the host, and left open the door for further exploitation.

The structure of the attack also shows the growing modularity of Python-based malware. The initial package merely set the stage—domain checking, payload negotiation, token acquisition—before deferring to dynamically loaded modules for actual data theft. This approach not only reduces the static footprint of the malware but also complicates attribution and detection.

Rapid Response, Ongoing Risks

Upon discovering the malicious upload, JFrog immediately alerted PyPI maintainers, who removed the package. Detection signatures have since been added to JFrog Xray, the company's artifact security platform.

But as Sar Shalom notes, this incident isn’t just a cleanup job—it’s a call to action. Open-source ecosystems continue to be a double-edged sword for developers. They accelerate innovation, but they also widen the attack surface.

Recommendations

Developers using sandbox environments—particularly Chimera or similar tools—are urged to:

• Revoke any possibly compromised tokens or credentials

• Scan environments for remnants of the package

• Monitor for unusual outbound traffic to workers.dev subdomains

• Validate the integrity of other dependencies in their pipeline

While chimera-sandbox-extensions has been removed, the larger threat remains. Attackers are watching GitHub activity, targeting niche projects, and slipping payloads into the global supply chain. Today, it's a sandbox extension. Tomorrow, it could be your favorite linter.

The open-source world is no longer just a playground for collaboration—it's a battleground for your infrastructure.

For ongoing updates on open-source threats and CVEs, JFrog Security Research Center continues to publish vulnerability disclosures and protective guidance.