Malicious PyPI Packages Exploit Gmail: Critical Data Theft Campaign

In May 2025, security researchers uncovered a series of malicious Python packages on the Python Package Index (PyPI) that abuse the Gmail API to exfiltrate sensitive user data. These malicious PyPI packages exploit Gmail, highlighting a disturbing evolution of supply chain attacks targeting developers directly through trusted open-source ecosystems.

As open-source software continues to gain popularity, the reliance on package managers like PyPI is higher than ever. This dependency increases the surface area for potential attacks, making it crucial for developers to remain vigilant. Security researchers have highlighted the importance of understanding how these malicious packages operate, as it can significantly influence how developers approach package selection and usage.

In one notorious case, a malicious package disguised as a utility for data analysis was downloaded thousands of times before it was detected. This incident revealed how easily developers can be misled by seemingly legitimate packages. As a measure of caution, it is advisable for users to thoroughly vet packages they intend to use, checking for reviews, download statistics, and source code quality.

These packages masquerade as legitimate tools but contain obfuscated payloads that, once installed, initiate OAuth-based Gmail API calls to access inbox content and forward exfiltrated data to attacker-controlled accounts.

Attack Details: How the Gmail Exploit Works

In addition to the methods mentioned, attackers may use social engineering techniques to encourage users to install these malicious packages. For instance, they may create fake blogs or forums promoting the tool as a solution to common programming problems or as a highly rated utility, making it more appealing to unsuspecting developers.

Once these malicious packages are installed, they execute scripts that request permissions to access user accounts under the guise of legitimate functionality. This often involves displaying pop-ups that appear harmless, leading users to unknowingly grant extensive access to their Gmail accounts. Post-installation, the malware begins its harmful activity:

These malicious PyPI packages exploit Gmail in various ways, posing significant risks to users’ data integrity and privacy.

• Extracts emails, drafts, and attachments
• Steals sensitive tokens and environment variables
• Uses built-in Gmail APIs to forward stolen data
• Evades detection using standard OAuth tokens and Gmail SMTP
  

Some samples also integrated time-based triggers to delay execution, making sandbox detection harder.

Furthermore, these packages may include features that allow them to blend seamlessly into the user’s environment, making detection even more difficult. For example, they might create fake logs or alter existing ones to hide their activities, complicating forensic investigations.

Key Indicators of Compromise (IOCs)

There are tools available, such as pip check, which can help identify dependency issues and flag concerns with installed packages. Incorporating these tools into regular development practices can significantly enhance security.

Additionally, organizations should establish a protocol for regularly reviewing installed packages and their permissions. Regular audits can help identify any unauthorized access and potential vulnerabilities in the package lifecycle.

Here are notable IOCs related to this campaign:

• Suspicious PyPI packages: pyobfuscateutils, cloudmailclient, secure-env-sync
• Domains used for C2:
  
• api.mailforwarding[.]cc
• cloudpostman[.]pro
• File artifacts: gmail_handler.py, .oauth_secrets.json
• Gmail API scope abuse:
  
• https://www.googleapis.com/auth/gmail.readonly
• https://www.googleapis.com/auth/gmail.modify
  

Technical Analysis of PyPI Package Payloads

Upon installation, the packages initiate a setup.py or __init__.py sequence embedded with base64 or AES-encrypted payloads. These payloads:

• Leverage google-auth and google-api-python-client
• Create silent OAuth device flows
• Dump ~/.bash_history, ~/.ssh/, and .env contents
• Compress exfiltrated files using gzip or zlib
• Transmit data via Gmail draft API or third-party SMTP
  

Example snippet:

service.users().messages().send(userId="me", body=message).execute()

Abuse of Gmail API and OAuth Tokens

Rather than exfiltrate data to an external domain, attackers used Gmail itself to exfiltrate content—minimizing firewall and DLP detection.

• Gmail OAuth tokens are refreshable and long-lived
• Many organizations don’t log or alert on Gmail API access
• Gmail’s modify and readonly scopes were exploited to forward or hide messages
  

This technique offers stealth, persistence, and cloud-native exfiltration channels.

Impact on Developers and Supply Chain

This campaign exemplifies a growing trend: abusing trust in open-source repositories like PyPI to infiltrate developer environments and CI/CD pipelines.

Implications include:

• Credential leakage to GitHub, AWS, and GCP
• CI/CD token exposure
• Risk to corporate infrastructure via developer endpoints
• Undermined confidence in package supply chains
  

Defensive Measures and Detection Techniques

Organizations can mitigate these risks by:

• Blocking unknown PyPI packages via allow-lists
• Auditing OAuth grants across enterprise Google Workspace
• Monitoring Gmail API usage with Cloud Audit Logs
• Enforcing MFA on Google accounts
• Using pip install --no-binary :all: to inspect package contents
  

Detection via YARA or custom regex rules for suspicious Gmail API calls is also recommended.

Best Practices for PyPI Package Security

To defend against similar threats:

• Use tools like pip-audit and bandit regularly
• Lock dependencies with hashes in requirements.txt
• Subscribe to PyPI RSS or threat feeds
• Scan post-install behaviors in CI pipelines
• Avoid installing packages with low downloads or unknown maintainers
  

Final Thoughts

The malicious PyPI packages exploiting Gmail APIs underscore the evolving sophistication of supply chain attacks. By leveraging OAuth-based access and cloud-native APIs, attackers have blurred the line between trusted and malicious activity.

Security teams must stay proactive—monitoring OAuth scopes, enforcing package integrity, and educating developers about the risks embedded even in widely used ecosystems.

Organizations can also adopt a strategy of layering security measures, employing both technical and organizational controls. This approach can significantly bolster defenses against potential supply chain threats.

On top of these measures, creating a culture of security awareness among developers is vital. Regular training sessions can help developers recognize potential threats and understand best practices for secure coding.

Moreover, implementing dependency management tools that automatically check for vulnerabilities can help maintain a secure software supply chain. Tools like Dependabot can be integrated into workflows to alert teams about outdated or vulnerable packages.

Ultimately, the evolving threat landscape necessitates a proactive approach to software security. This includes not only monitoring and auditing but also engaging the broader developer community to share insights and lessons learned from past incidents.