Skip to content

W4SP Stealer Update—Attacker now Attempting to Masquerade as Popular Orgs

Phylum's team has discovered more PyPI packages attempting to deliver W4SP stealer in ongoing supply-chain attack.

Published on

Nov 18, 2022

Written by

The Phylum Research Team




Hello again from the Phylum Research Team! It’s been 2 weeks since we published our deep dive into the on-going W4SP Stealer supply-chain attack targeting Python developers and this is still a very active attack. The attacker has continued releasing package after package at a slow but very steady pace.

The modus operandi appears to be the same, generally speaking. The attacker copies existing repos and injects a malicious __import__ statement into the or The number of layers and complexity of obfuscation varies slightly from package to package, but they all appear to still have the same common end goal of getting W4SP Stealer deployed on developers’ machines.

Mozilla on PyPI⁉️

In a brazen albeit strange twist, just this morning, the attacker published a package on PyPI called mozilla under a username also registered as “Mozilla.” We’re not sure what a Python developer might expect to receive by pip installing mozilla onto their machine (perhaps a terminal-based Firefox??) but there you have it—not a typosquat, per se, but a “brandsquat” maybe? The attacker is clearly trying to pose as the organization itself, hoping to rely on brand name recognition to not raise suspicion. Either way, this particular attempt has lifted the legitimate part of the code from a package called app-graphs.




The Full List

You can see from some entries on the list that Mozilla isn’t the only brand name being used. There are a handful of packages released with Discord and TikTok in the names as well.

This attack has proven to be bold, steady and relentless. Here’s a full list of the additional packages we’ve uncovered since our last report:

  • mozilla
  • shortnet
  • shortnets
  • pylo-color
  • web5
  • color-random
  • simple-color
  • loy
  • auo
  • color-utility
  • tiktok-filter-api
  • Discord-Embedds
  • color-utility-test
  • pyshftuler
  • blockcypher-lib
  • discord-api-wrapper
  • ascii2art
  • crypto-payments
  • apch
  • colors-it

We at Phylum are continuing to closely watch this attack and report all these packages as soon as we see them. Be sure to stay tuned for our next update!


As of publication, the total download count for this new set of packages is about 3000 downloads.

Subscribe to Our Research

Subscribe to Our Research

Latest Articles

Phylum Identifies 102 Malicious npm Packages
  |   Jan 29, 2023

Phylum Identifies 102 Malicious npm Packages

102 malicious packages were recently published to npm that exfiltrat...

A Deep Dive Into poweRAT: a Newly Discovered Stealer/RAT Combo Polluting PyPI
Research   |   Jan 05, 2023

A Deep Dive Into poweRAT: a Newly Discovered Stealer/RAT Combo Polluting PyPI

Phylum uncovers new PyPI malware distributing remote access tools.

Phylum detects a series of suspicious publications on NPM…again
Malware   |   Dec 30, 2022

Phylum detects a series of suspicious publications on NPM…again

Phylum platform continues to automatically identify and block risks ...