Threat actors recently exploited the rising popularity of DeepSeek, a leading Chinese artificial intelligence platform, by uploading two malicious packages to the Python Package Index (PyPI): "deepseeek" and "deepseekai."
These packages, which mimicked legitimate DeepSeek developer tools, were designed as infostealers. When executed, they harvested sensitive user and system data, including environment variables like API keys, database credentials, and infrastructure access tokens, all of which are critical for application security.
The stolen information was then exfiltrated to a command-and-control server using Pipedream, a legitimate automation platform, enabling attackers to potentially access cloud services and other protected resources used by affected developers.
The packages were uploaded to PyPI on January 29, 2025, by an account created in June 2023 that had no prior activity. Despite rapid detection and removal by PyPI following a report from Positive Technologies, over 220 developers - primarily from the United States, China, Russia, Germany, Hong Kong, and Canada—had already downloaded the malicious packages.
Affected developers are strongly advised to rotate all API keys, authentication tokens, and passwords, and to check for unauthorized access to any cloud services that may have been compromised.
Sources: https://www.bleepingcomputer.com/news/security/deepseek-ai-tools-impersonated-by-infostealer-malware-on-pypi/; https://www.securitymagazine.com/articles/101366-deepseek-impersonating-malware-is-stealing-data-research-finds; https://fieldeffect.com/blog/infostealers-disguised-as-deepseek-ai-tools
Commentary
In the above matter, the malware targets developers for API keys.
API keys are valuable to malicious actors because they act as digital credentials that grant access to sensitive systems, data, and cloud services.
When attackers gain access to an API key, they can impersonate legitimate users or applications, potentially enabling unauthorized access to customer information, financial records, proprietary data, and cloud resources. This unauthorized access can result in serious consequences such as data breaches, intellectual property theft, fraud, and misuse of services - all of which can cause financial loss, regulatory penalties, and reputational harm for affected organizations.
To protect themselves from such risks, organizations should adopt several key security measures. First, they should regularly rotate and revoke API keys, especially if there is any suspicion of compromise.
It's also important to restrict API key permissions so that each key only has the minimum access necessary for its intended use. Secure storage of API keys is essential - keys should never be hardcoded in source code or shared in plaintext; instead, they should be kept in secure vaults or secret management tools.
Monitoring and auditing API key usage is another loss prevention step. Organizations should regularly review logs for unusual activity, such as unexpected API calls or access from unfamiliar locations. Implementing strong authentication and authorization - using multi-factor authentication, role-based access controls, and strict authorization checks for API endpoints - can further reduce risk.
Applying rate limiting helps prevent abuse and detect brute-force attacks, while encrypting data in transit ensures that all API communications are protected.
Finally, maintaining an accurate and up-to-date inventory of all APIs in use helps organizations quickly identify and address vulnerabilities.
