Every month, malicious packages are reported to be found and neutralized in the PyPI, npm, and RubyGems repositories. They steal AWS tokens, payment card data, browser passwords, and other sensitive information. Open‑source projects appear to be a great opportunity for information security vendors to demonstrate their robust solutions for secure development. Hence, malware is not supposed to go unnoticed for a long time. But how do things actually stand?

This study, which began in February 2022, uncovers over a hundred packages in PyPI that somehow escaped the eyes of security researchers, with the oldest package dating back to July 2018. The report explains how trojans in Python disguise themselves, what evasion methods they use, and how they are spotted by the detection system.