In a recent cybersecurity revelation, seven malicious PyPI packages were identified using Gmail's SMTP servers and WebSockets to facilitate data exfiltration and remote command execution. Discovered by Socket's threat research team, these packages have since been removed from PyPI. However, they had been available for over four years, with one package downloaded more than 18,000 times.

Details of the Malicious Packages

The compromised packages, masquerading as legitimate software, were designed to impersonate the genuine Coffin package, which integrates Jinja2 templates into Django projects. These packages utilized hardcoded Gmail credentials to exploit the SMTP server, enabling attackers to remotely access compromised systems.

List of Affected Packages

  • Coffin-Codes-Pro: 9,000 downloads
  • Coffin-Codes-NET2: 6,200 downloads
  • Coffin-Codes-NET: 6,100 downloads
  • Coffin-Codes-2022: 18,100 downloads
  • Coffin2022: 6,500 downloads
  • Coffin-Grave: 6,500 downloads
  • cfc-bsb: 2,900 downloads

Technical Exploitation Methods

The malicious functionality of these packages involved covert remote access and data exfiltration through Gmail. By leveraging Gmail's trusted status, the activity bypassed firewalls and endpoint detection systems. Following the email signaling phase, the malware established a persistent, encrypted tunnel using WebSocket over SSL, allowing attackers to execute various malicious activities.

Capabilities of the Malware

  • Remote Access: Facilitates internal admin panel and API access.
  • Data Exfiltration: Enables file transfer and email exfiltration.
  • Command Execution: Allows shell command execution and credentials harvesting.
  • Lateral Movement: Supports movement across the network.

Potential Cryptocurrency Theft

Indicators suggest these packages may have targeted cryptocurrency theft, as evidenced by email addresses like blockchain.bitcoins2020@gmail.com. Similar tactics have previously been used to steal Solana private keys. Users who have installed these packages should remove them immediately and update their credentials.

In a related incident, a crypto-stealing package named 'crypto-encrypt-ts' was found on npm. This package, posing as a TypeScript version of the 'CryptoJS' library, exfiltrated cryptocurrency wallet secrets to a threat actor-controlled endpoint. It targeted wallets with balances over 1,000 units and was downloaded nearly 2,000 times before removal.

The link has been copied!