Cybersecurity researchers have flagged a malicious Python library on the Python Package Index (PyPI) repository that facilitates unauthorized music downloads from music streaming service Deezer.
The package in question is automslc, which has been downloaded over 104,000 times to date. First published in May 2019, it remains available on PyPI as of writing.
“Although automslc, which has been downloaded over 100,000 times, purports to offer music automation and metadata retrieval, it covertly bypasses Deezer’s access restrictions by embedding hardcoded credentials and communicating with an external command-and-control (C2) server,” Socket security researcher Kirill Boychenko said in a report published today.
Specifically, the package is designed to log into the French music streaming platform via user-supplied and hard-coded credentials, gather track-related metadata, and download full audio files in violation of Deezer’s API terms.
The package also periodically communicates with a remote server located at “54.39.49[.]17:8031” to provide updates on the download status, thereby giving the threat actor centralized control over the coordinated music piracy operation.
Put differently, automslc effectively turns the systems of the package users into an illicit network for facilitating bulk music downloads in an unauthorized manner. The IP address is associated with a domain named “automusic[.]win,” which is said to be used by the threat actor to oversee the distributed downloading operation.
“Deezer’s API terms forbid the local or offline storage of complete audio content, but by downloading and decrypting entire tracks, automslc bypasses this limitation, potentially placing users at risk of legal repercussions,” Boychenko said.
The disclosure comes as the software supply chain security company detailed a rogue npm package called @ton-wallet/create that has been found stealing mnemonic phrases from unsuspecting users and developers in the TON ecosystem, while impersonating the legitimate @ton/ton package.
The package, first published to the npm registry in August 2024, has attracted 584 downloads to date. It remains available for download.
The malicious functionality embedded into the library is capable of extracting the process.env.MNEMONIC environment variable, thereby giving threat actors complete access to a cryptocurrency wallet and potentially drain a victim’s digital assets. The information is transmitted to an attacker-controlled Telegram bot.
“This attack poses severe supply chain security risks, targeting developers and users integrating TON wallets into their applications,” Socket said. “Regular dependency audits and automated scanning tools should be employed to detect anomalous or malicious behaviors in third-party packages before they are integrated into production environments.”
