Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT www.aikido.dev/blog/mali…
On January 20th and 21st, 2026, our malware detection pipeline flagged two new PyPI packages: spellcheckerpy and spellcheckpy. Both claimed to be the legitimate author of pyspellchecker library. Both are linked to his real GitHub repo.
They weren’t his.
Hidden inside the Basque language dictionary file was a base64-encoded payload that downloads a full-featured Python RAT. The attacker published three “dormant” versions first, payload present, trigger absent, then flipped the switch with spellcheckpy v1.2.0, adding an obfuscated execution trigger that fires the moment you import SpellChecker.
