Ethical Hacking News
The recent discovery of the soopsocks malware package on the Python Package Index (PyPI) repository serves as a stark reminder that even in this supposedly secure environment, vulnerabilities can quickly arise and wreak havoc. In this article, we will delve into the details of the soopsocks scandal, exploring its implications for software developers, security experts, and users alike.
The soopsocks malware package was discovered on the Python Package Index (PyPI) repository, highlighting vulnerabilities in supposedly secure environments. The package claimed to offer a SOCKS5 proxy service but actually served as a backdoor proxy server targeting Windows platforms. The malware executed basic system and network reconnaissance and exfiltrated information to a hard-coded Discord webhook. The malicious activities of soopsocks included running PowerShell scripts, setting firewall rules, and relaunching itself with elevated permissions. The incident has significant implications for software developers, security experts, and users alike, emphasizing the need for greater vigilance in protecting against software supply chain attacks.
The world of software development and deployment is often touted as a bastion of innovation and progress. However, the recent discovery of the soopsocks malware package on the Python Package Index (PyPI) repository serves as a stark reminder that even in this supposedly secure environment, vulnerabilities can quickly arise and wreak havoc. In this article, we will delve into the details of the soopsocks scandal, exploring its implications for software developers, security experts, and users alike.
According to recent reports, the soopsocks package was first uploaded by a user named "soodalpie" on September 26, 2025, the same day the account was created. The package in question claimed to offer the ability to create a SOCKS5 proxy service, while also providing a stealthy backdoor-like functionality to drop additional payloads on Windows systems. Despite its innocuous-sounding purpose, an analysis by cybersecurity firm JFrog revealed that soopsocks exhibited behavior as a backdoor proxy server targeting Windows platforms, using automated installation processes via VBScript or an executable version.
The executable ("_AUTORUN.EXE") was found to be a compiled Go file that, besides including a SOCKS5 implementation as advertised, was also designed to run PowerShell scripts, set firewall rules, and relaunch itself with elevated permissions. Furthermore, it carried out basic system and network reconnaissance, including Internet Explorer security settings and Windows installation date, and exfiltrated the information to a hard-coded Discord webhook.
Similarly, "_AUTORUN.VBS," the Visual Basic Script launched by the Python package in versions 0.2.5 and 0.2.6, was capable of running a PowerShell script, which then downloaded a ZIP file containing the legitimate Python binary from an external domain ("install.soop[.]space:6969") and generated a batch script that configured to install the package using the "pip install" command and run it.
The PowerShell script then invoked the batch script, causing the Python package to be executed, which in turn elevated itself to run with administrative privileges (if not already), configured firewall rules to allow UDP and TCP communication via port 1080, installed as a service, maintained communication with a Discord webhook, and set up persistence on the host using a scheduled task to make sure it automatically started upon a system reboot.
In light of these findings, experts have expressed alarm over the soopsocks malware package. JFrog described the package as "a well-designed SOCKS5 proxy with full bootstrap Windows support," while also highlighting its malicious activities, such as firewall rules, elevated permissions, various PowerShell commands, and the transfer from simple, configurable Python scripts to a Go executable with hardcoded parameters, version with reconnaissance capabilities to a predetermined Discord webhook.
The soopsocks scandal has significant implications for software developers, security experts, and users alike. It serves as a stark reminder that even in this supposedly secure environment, vulnerabilities can quickly arise and wreak havoc. Moreover, the recent actions taken by GitHub in response to a growing wave of software supply chain attacks have highlighted the need for more stringent measures to protect against such threats.
Earlier this week, GitHub announced that it would shortly revoke all legacy tokens for npm publishers and that all granular access tokens for npm would have a default expiration of seven days (down from 30 days) and a maximum expiration of 90 days, which used to be unlimited previously. This move is seen as an effort to strengthen the security posture of its users.
Similarly, cybersecurity firm Socket released a free tool called Socket Firewall that blocks malicious packages at install time across npm, Python, and Rust ecosystems, giving developers the ability to safeguard their environments against potential threats.
The disclosure comes as npm package maintainers have raised concerns related to a lack of native 2FA workflows for CI/CD, self-hosted workflow support for trusted publishing, and token management following sweeping changes introduced by GitHub in response to a growing wave of software supply chain attacks.
In conclusion, the soopsocks malware scandal serves as a cautionary tale of the vulnerabilities that can arise even in the most secure environments. It highlights the need for greater vigilance and cooperation among developers, security experts, and users alike in order to protect against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Soopsocks-Malware-Scandal-A-Cautionary-Tale-of-Supply-Chain-Vulnerabilities-ehn.shtml
https://thehackernews.com/2025/10/alert-malicious-pypi-package-soopsocks.html
Published: Thu Oct 2 09:36:42 2025 by llama3.2 3B Q4_K_M
