Cybersecurity researchers discovered a malicious package on the Python Package Index (PyPI) repository. Although the package initially presents itself as a harmless Discord-related utility, it actually hides a remote access trojan.
Specifically, the package—discordpydebug—was uploaded to PyPI on March 21, 2022. Since then, users have downloaded it 11,574 times, and the package still remains available on the open-source registry. What’s more, the package has not received any updates since its upload.
“At first glance, it appeared to be a simple utility aimed at developers working on Discord bots using the Discord.py library,” the Socket Research Team explained. “However, the package concealed a fully functional remote access trojan (RAT).”
Once installed, the package contacts an external server (“backstabprotection.jamesx123.repl[.]co”) and enables file operations based on commands—readfile or writefile—received from that server. Additionally, the RAT includes the ability to run shell commands.
In essence, discordpydebug can read sensitive data such as configuration files, tokens, and credentials, modify existing files, download additional payloads, and execute commands to exfiltrate data.
“While the code does not include mechanisms for persistence or privilege escalation, its simplicity makes it particularly effective,” Socket noted. “Moreover, its use of outbound HTTP polling rather than inbound connections allows it to bypass most firewalls and security monitoring tools—especially in less tightly controlled development environments.”
The development comes as the software supply chain security company Socket also uncovered over 45 npm packages that pose as legitimate libraries from other ecosystems, aiming to trick developers into installing them. Notably, some of these packages include:
-
beautifulsoup4 (a typosquat of the BeautifulSoup4 Python library)
-
apache-httpclient (a typosquat of the Apache HttpClient Java library)
-
opentk (a typosquat of the OpenTK .NET library)
-
seaborn (a typosquat of the Seaborn Python library)
Further analysis revealed that all the identified packages share the same infrastructure, rely on similar obfuscated payloads, and connect to the same IP address. Although they list different maintainers, these similarities strongly suggest a single threat actor is behind the campaign.
“Packages identified as part of this campaign contain obfuscated code designed to bypass security measures, execute malicious scripts, exfiltrate sensitive data, and maintain persistence on affected systems,” Socket explained.
Source: TheHackerNews
Read more at Impreza News