Multiple PyPI Packages Discovered Containing the W4SP Stealer Under Various Names

Threat actors have published yet another wave of malicious Python Package Index (PyPI) packages to deliver information-stealing malware to compromised developer machines.

Phylum, a cybersecurity company, discovered that all variants of W4SP Stealer share the names ANGEL Stealer, Celestial Stealer, Fade Stealer, Leaf $taler, PURE Stealer, Satan Stealer, and @skid Stealer.

The primary purpose of W4SP Stealer is to steal sensitive user information, including credentials, cryptocurrency wallets, Discord tokens, and other files of interest. An actor with the aliases BillyV3, BillyTheGoat, and billythegoat356 created and published it.

In a report released this week, researchers stated, “For whatever reason, each deployment appears to have attempted a simple find/replace of W4SP references with a seemingly arbitrary name.”

modulesecurity, informmodule, chazz, randomtime, proxygeneratorbil, easycordey, easycordeyy, tomproxies, sys-ej, py4sync, infosys, sysuptoer, nowsys, upamonkws, captchaboy, and proxybooster are the 16 rogue modules.

The distribution campaign for W4SP Stealer gained traction around October 2022, although evidence suggests it may have begun as early as August 25, 2022. Since then, persistent threat actors have uploaded dozens of additional bogus packages containing W4SP Stealer to the PyPI repository.

For what it’s worth, the most recent iteration of the activity does not attempt to conceal its malicious intent, except in the case of chazz, which uses the package to download obfuscated Leaf $tealer malware hosted on the klgrth[.]io paste service.

Notably, previous versions of the attack chains have been observed retrieving Python code for the subsequent stage directly from a public GitHub repository, which then drops the credential stealer.

The proliferation of new copycat variants coincides with GitHub’s removal of the repository containing the original W4SP Stealer source code, indicating that cybercriminals unaffiliated with the operation are also using the malware to target PyPI users.

“Open-source ecosystems such as PyPI, NPM, and the like are easy targets for these types of actors to attempt to deploy malware,” the researchers said. Their attempts will only increase in frequency, persistence, and sophistication.”

The software supply chain security company, which monitored the threat actor’s Discord channel, also observed that a previously flagged package known as pystyle had been trojanized by BillyTheGoat to distribute the stealer.

The module has not only amassed thousands of monthly downloads but also began as an innocuous utility in September 2021 to assist users in formatting console output. The malicious modifications were introduced in the October 28, 2022-released versions 2.1 and 2.2.

BillyTheGoat informed Phylum in “unsolicited correspondence” that these two versions, which were available on PyPI for roughly an hour before being removed, allegedly received 400 downloads.

The researchers cautioned, “Just because a package is benign today and has a history of being benign for years does not mean it will remain benign.” “Threat actors have demonstrated extraordinary patience in constructing legitimate packages, poisoning them with malware only after they have gained sufficient popularity.”

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus
Malware GuLoader Using New Methods to Avoid Security Software

December 26, 2022

Researchers in cyber security have uncovered a vast array of techniques used by the advanced malware downloader GuLoader to circumvent security software. “New shellcode anti-analysis technique attempts to thwart researchers and hostile environments by scanning entire process memory for any…

Get more info



Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to As an Amazon Associate I earn from qualifying purchases.


Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of