An ongoing supply chain attack has been leveraging malicious Python packages to distribute malware called W4SP Stealer, with over hundreds of victims ensnared to date.

"The threat actor is still active and is releasing more malicious packages," Checkmarx researcher Jossef Harush said in a technical write-up, calling the adversary WASP. "The attack seems related to cybercrime as the attacker claims that these tools are undetectable to increase sales."

The findings from Checkmarx build on recent reports from Phylum and Check Point, which flagged 30 different modules published on the Python Package Index (PyPI) that were designed to propagate malicious code under the guise of benign-looking packages.

The attack is just the latest threat to target the software supply chain. What makes it notable is the use of steganography to extract a polymorphic malware payload hidden within an image file hosted on Imgur.