- Socket found seven malicious packages on PyPI
- The packages were abusing Gmail and WebSocket
- They were removed from the platform
Several malicious PyPI packages were recently observed abusing Gmail to exfiltrate stolen sensitive data and communicate with their operators.
Cybersecurity researchers Socket, who found the packages, reported them to the Python repository and thus helped get them removed from the platform – however the damage has already been done.
According to Socket, there were seven malicious PyPI packages, some of which were sitting on the platform for more than four years. Cumulatively, they had more than 55,000 downloads. Most are an imitation of the legitimate Coffin package, with names like Coffin-Codes-Pro, Coffin-Codes, NET2, Coffin-Codes-NET, Coffin-Codes-2022, Coffin2022, and Coffin-Grave. One was called cfc-bsb.
Compromised hosting accounts
The researchers explained that once the package is installed on the victim device, it connects to Gmail using hardcoded credentials, and contacts the C2 server.
It then creates a tunnel using WebSockets, and since Gmail’s email server is being used for communication, the communication bypasses most firewalls and other security measures.
As a result, the attackers are able to send commands, steal files, run code, and even access systems remotely.
However, it seems that the crooks were mostly interested in crypto theft, since one of the email addresses the malware was reaching out to had the words “blockchain” and “bitcoin” it it:
“Coffin-Codes-Pro establishes a connection to Gmail’s SMTP server using hardcoded credentials, namely sphacoffin@gmail[.]comand a password,” the report says.
“It then sends a message to a second email address, blockchain[.]bitcoins2020@gmail[.]com politely and demurely signaling that the implant is working.”
Socket has warned all Python users running any of the packages in their environment to remove them immediately and rotate keys and credentials as needed.
The researchers also urged everyone to watch for unusual outbound connections, “especially SMTP traffic”, and warned them not to trust a package just because it was a few years old.
“To protect your codebase, always verify package authenticity by checking download counts, publisher history, and GitHub repository links,” they added.
“Regular dependency audits help catch unexpected or malicious packages early. Keep strict access controls on private keys, carefully limiting who can view or import them in development. Use isolated, dedicated environments when testing third-party scripts to contain potentially harmful code.”
Via BleepingComputer
