exotel PyPI phishing shipped malware

exotel was one of the packages caught in the 2022 JuiceLedger PyPI phishing wave. The attacker did not need to impersonate the package name. They obtained publishing access and uploaded version 0.1.6 to the real PyPI project.

The malicious release executed during installation. Its setup code collected environment data from the host and reached out to attacker infrastructure, then downloaded and executed a second-stage payload. That made developer machines and CI runners the primary exposure surface, because the code ran before any exotel application logic had to be invoked.

The campaign was notable because it targeted maintainers through PyPI-themed phishing rather than package consumers directly. Once credentials were stolen, PyPI became the distribution system for code that looked ordinary by package coordinate but hostile by content.

The affected release was removed and advisories were published through GitHub and PyPA. This record stays package-specific because the JuiceLedger campaign hit more than one project, but the affected version, hashes, and package archive here are specific to exotel.

Motive

Credential Theft

Attribution

Group

Cause

Compromised Account Credentials

Transitive

No

Actor

JuiceLedger

User Impact

480000

• exotel-py includes code execution backdoor inserted by a third partygithub.com
• `exotel` project on PyPI compromised, malicious release madegithub.com
• PYSEC-2022-43134 exotel advisorygithub.com
• PYSEC-2022-250 exotel advisorygithub.com
• exotel 0.1.6 setup.py package inspectorinspector.pypi.io
• PyPI packages hijacked after developers fall for phishing emailsbleepingcomputer.com
• First Known Phishing Attack Against PyPi Userscheckmarx.com
• PyPI Phishing Campaign | JuiceLedger Threat Actor Pivots From Fake Apps to Supply Chain Attackssentinelone.com
• PyPI packages succumb to Mailchimp phishing scamitpro.com