Somewhere right now, a developer is installing what they believe is a legitimate AI coding assistant. It isn’t. What they’re actually downloading is a carefully disguised piece of malware designed to harvest credentials, browser cookies, cryptocurrency wallets, and SSH keys — everything an attacker needs to compromise not just one person but potentially an entire software supply chain.
The campaign is sprawling and deliberate. According to TechRadar, security researchers at Kaspersky recently uncovered a wave of infostealer malware masquerading as popular AI developer tools on the Python Package Index (PyPI), the primary repository where Python developers download open-source libraries. The fake packages impersonated tools like Anthropic’s Claude Code, Google’s Gemini CLI, and an open-source project called OpenClaw — names that carry instant credibility in the developer community.
This isn’t a crude attack. It’s a sophisticated social engineering operation that exploits the explosive demand for AI-powered development tools and the implicit trust developers place in package managers.
The malicious packages identified by Kaspersky included names such as claude-code, google-gemini-cli, and openclaw — close enough to real tools to fool anyone moving quickly. And developers almost always move quickly. The packages contained infostealer payloads that, once installed, would silently exfiltrate sensitive data from the victim’s machine. Browser-stored passwords, authentication tokens, session cookies, cryptocurrency wallet files, and SSH private keys were all targeted. The stolen data was then transmitted to attacker-controlled servers, often through encrypted channels that made detection difficult.
Kaspersky’s researchers noted that the attackers demonstrated a clear understanding of developer workflows. They didn’t just slap malware into a random package and hope for the best. They crafted package descriptions, version histories, and metadata that mimicked legitimate projects. Some packages even included functional code alongside the malicious payloads, making them harder to distinguish from the real thing during casual inspection.
The timing of this campaign is no accident. The market for AI coding assistants has exploded over the past year. Anthropic launched Claude Code as a command-line tool for developers in early 2025, and Google released Gemini CLI shortly after. Both tools attracted enormous attention. When developers rush to adopt new tools — and the pressure to adopt AI tools in particular has become intense across the industry — they often skip the verification steps that might catch a fraudulent package.
PyPI has long been a target for supply chain attacks, but the scale and specificity of AI-themed lures represent something new. The repository hosts over 500,000 packages and processes billions of downloads annually. Its maintainers have implemented measures like two-factor authentication requirements for critical projects and automated malware scanning, but the sheer volume of uploads makes comprehensive vetting impossible. Attackers know this.
“The use of AI tool names as lures is a natural evolution,” said Sergey Lozhkin, a principal security researcher at Kaspersky, in comments reported by TechRadar. The logic is straightforward: developers are the highest-value targets in any organization because their machines typically have access to source code repositories, deployment pipelines, cloud infrastructure credentials, and production databases. Compromise a developer’s workstation and you potentially compromise everything that developer touches.
The broader infostealer threat has been accelerating for years, but 2024 and 2025 have seen a particularly sharp escalation. According to recent reporting from The Hacker News, multiple threat actors have been observed using fake AI tools as distribution vectors for malware families including Vidar, Raccoon Stealer, and custom-built exfiltration frameworks. The convergence of AI hype and supply chain vulnerability has created what amounts to a perfect storm for attackers.
And the damage from infostealers is not theoretical. In recent months, stolen credentials harvested by infostealer malware have been linked to major breaches at companies including Snowflake, Ticketmaster, and Santander Bank. In those cases, attackers used credentials stolen from employee machines to access cloud environments, exfiltrate customer data, and extort the affected companies. The initial infection vector in several of those incidents was traced back to infostealer malware that had been installed weeks or months earlier.
What makes the PyPI campaign particularly dangerous is the supply chain amplification effect. A developer who installs a malicious package on their work machine may inadvertently expose credentials that grant access to private code repositories, CI/CD pipelines, and cloud infrastructure. If the stolen SSH keys or API tokens are used to inject malicious code into legitimate software projects, the blast radius expands exponentially. One compromised developer can become the entry point for attacks affecting thousands of downstream users.
The mechanics of these attacks are worth understanding in detail. When a developer runs pip install claude-code — a plausible command for someone trying to install Anthropic’s tool — the malicious package executes a setup script during installation. This script typically downloads a secondary payload from a remote server, establishes persistence on the machine, and begins harvesting data. Modern infostealers are remarkably efficient. They can scan a system, locate and exfiltrate targeted files, and transmit the data to a command-and-control server in under 30 seconds. By the time the developer realizes something is wrong — if they ever do — the damage is done.
Browser credential theft is especially potent. Most developers use their browsers to access GitHub, AWS consoles, internal dashboards, Slack, and email. A single browser profile can contain dozens of saved passwords and active session cookies. With those in hand, an attacker can impersonate the victim across multiple services without triggering password-based security alerts. Session cookies are particularly valuable because they bypass multi-factor authentication entirely — the authentication has already occurred, and the cookie proves it.
Cryptocurrency wallets represent another high-value target. Many developers hold personal crypto assets, and wallet files or seed phrases stored on a developer’s machine can be drained within minutes of exfiltration. But the financial theft is almost secondary to the strategic value of the other stolen data. SSH keys and API tokens are the real prize.
So what’s being done about it? PyPI’s administrators have taken steps to combat malicious packages, including deploying automated scanning tools that check for known malware signatures and suspicious behaviors in uploaded packages. In 2024, PyPI began requiring all maintainers to enable two-factor authentication, a measure designed to prevent account takeover attacks that had previously been used to inject malware into legitimate packages. But these defenses are reactive by nature. Attackers continuously modify their payloads to evade signature-based detection, and the time between a malicious package being uploaded and being flagged can range from hours to weeks.
The open-source security community has also responded. Tools like Socket now offer real-time analysis of package dependencies, flagging suspicious behaviors like network calls during installation, obfuscated code, and unexpected file system access. GitHub’s Dependabot and similar tools can alert developers when known-vulnerable packages appear in their dependency trees. But these tools require developers to actually use them, and adoption remains uneven.
Industry groups have called for more fundamental changes to how package repositories operate. Proposals include mandatory code signing for all packages, reproducible builds that allow independent verification of package contents, and provenance attestations that cryptographically link a package to its source code and build process. The Sigstore project, backed by the Open Source Security Foundation, has made progress on some of these fronts, but widespread adoption is still years away.
For individual developers, the immediate defensive measures are straightforward but often neglected. Verify package names carefully before installation. Check download counts and publication dates — a package claiming to be a popular tool but showing only a few hundred downloads is a red flag. Review the package’s source code, or at least its setup script, before installing. Use virtual environments to isolate package installations. And never install packages on a machine that has access to production credentials without first verifying the package’s legitimacy.
Corporate security teams face a harder challenge. Developers need to install packages to do their work, and overly restrictive policies create friction that drives developers to find workarounds — which are often less secure than the original workflow. The most effective approach combines technical controls (internal package mirrors with pre-vetted packages, endpoint detection tools that monitor for infostealer behavior) with developer education that specifically addresses supply chain risks.
But education only goes so far when the lures are this convincing. The fake Claude Code package, for instance, was named exactly what a developer would type when trying to install Anthropic’s tool. No typosquatting, no subtle misspelling. Just a race to register the obvious package name before the legitimate project claimed it. This kind of name-squatting is devastatingly effective because it exploits a fundamental assumption: that the first result for a reasonable search term is the legitimate one.
Anthropic, Google, and other AI tool providers bear some responsibility here. When launching developer tools, claiming the corresponding package names on major repositories — PyPI, npm, RubyGems — should be a day-one priority. Leaving those names available is an open invitation for attackers. Some companies have gotten better at this, but the gap between product launch and package name registration remains a window of vulnerability that threat actors are eager to exploit.
The broader pattern is unmistakable. Attackers follow attention. When cryptocurrency was the hottest topic in tech, crypto-themed malware dominated. When remote work tools surged during the pandemic, fake Zoom and Teams installers proliferated. Now AI tools are the lure of choice. The underlying technique — disguising malware as something the victim actively wants to install — hasn’t changed. Only the packaging has.
And the stakes keep rising. As AI coding assistants become integrated into more development workflows, the attack surface grows. A compromised AI tool plugin could potentially intercept code suggestions, inject backdoors into generated code, or exfiltrate proprietary codebases. These aren’t hypothetical scenarios. They’re the logical next step for threat actors who have already demonstrated the ability to infiltrate developer toolchains.
The Kaspersky findings should serve as a blunt reminder: the same enthusiasm that drives rapid adoption of new technology also creates the conditions for its exploitation. Every new tool is a potential attack vector. Every unverified download is a gamble. And in the current environment, the attackers are betting that developers’ eagerness to adopt AI tools will outpace their caution.
They’re usually right.


WebProNews is an iEntry Publication