Malicious Passlib Python Package Triggers Windows Shutdowns with Invalid Inputs

A deceptive and destructive Python package named psslib, uncovered by Socket’s Threat Research Team, poses a severe risk to developers by masquerading as a legitimate password security solution.

Published by the threat actor identified as umaraq, this malicious package typosquats the widely trusted passlib library a toolkit with over 8.9 million monthly downloads used for secure password hashing and verification.

Unveiling a Deceptive Threat in Python’s Ecosystem

Unlike its legitimate counterpart, psslib is engineered to cause immediate system shutdowns on Windows environments when users input incorrect passwords, exploiting developer trust in security tools.

As of now, the package remains active on the PyPI registry, despite formal petitions for its removal, highlighting the persistent danger of supply chain attacks in open-source ecosystems.

The psslib package employs a seemingly innocuous password verification system ...