Researchers say cybercriminals in Iraq appear to be responsible for secretly malicious Python code posted to the popular PyPl repository.

The script runs as part of an infected package downloaded from PyPI, and the cybercriminals use the malware to exfiltrate sensitive user data to a Telegram chatbot linked to multiple cybercriminal operations based in Iraq, according to the report by the cybersecurity firm Checkmarx.

The bot’s activity dates back to 2022 and contains over 90,000 messages, mostly in Arabic, Checkmarx said. The bot’s operators exploit victims by exfiltrating their data and have been involved in other criminal activities such as financial theft, purchasing Telegram and Instagram views and followers, and offering discounted Netflix memberships, the researchers said. 

Software developers use PyPI to publish, discover, and install Python software. The packages were uploaded by a user with the nickname “dsfsdfds,” Checkmarx said.

The malicious script scans the victim’s device for files and photos with specific extensions and sends them to the attackers' Telegram bot. According to Checkmarx, the bot operator maintained numerous other bots and was likely based in Iraq.

“What initially appeared to be an isolated incident of malicious packages turned out to be just the tip of the iceberg, revealing a well-established criminal ecosystem based in Iraq,” the researchers said.

Checkmarx claimed to have gained direct access to the Telegram bot and monitored its activities. That’s how they discovered that some of the campaigns using malicious Python packages were successful.

The researchers didn’t specify who was targeted by the hackers, what kind of data they obtained, and how they exploited it. Checkmarx hadn’t replied to a request for comment at the time of publication.