Inside of the WASP's nest: deep dive into PyPI-hosted malware

This report documents discovery and analysis of dozens of malicious or typosquatted Python packages hosted on PyPI that act primarily as info-stealers — harvesting browser cookies, credentials, Discord tokens, and hijacking cryptocurrency clipboard addresses — with varied sophistication from simple token-grabbers to obfuscated multi-stage droppers (W4SP family, BlackCap, Vespy, etc.). The authors detail TTPs (exfiltration channels such as Discord webhooks/Telegram/Gofile, sandbox checks, clipboard monitoring), provide an extensive appendix of IOCs (many SHA256 hashes, URLs, and IPs), and note widespread code reuse and forking among malware families which increases supply-chain risks for Python developers.