Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) repository that masquerades as a seemingly harmless Discord-related utility but incorporates a remote access trojan.
The package in question is discordpydebug, which was uploaded to PyPI on March 21, 2022. It has been downloaded 11,574 times and continues to be available on the open-source registry. Interestingly, the package has not received any update since then.
“At first glance, it appeared to be a simple utility aimed at developers working on Discord bots using the Discord.py library,” the Socket Research Team said. “However, the package concealed a fully functional remote access trojan (RAT).”
The package, once installed, contacts an external server (“backstabprotection.jamesx123.repl[.]co”), and includes features to read and write arbitrary files based on commands, readfile or writefile, received from the server. The RAT also supports the ability to run shell commands.
In a nutshell, discordpydebug could be used to read sensitive data, such as configuration files, tokens, and credentials, tamper with existing files, download additional payloads, and run commands to exfiltrate data.
“While the code does not include mechanisms for persistence or privilege escalation, its simplicity makes it particularly effective,” Socket said. “The use of outbound HTTP polling rather than inbound connections allows it to bypass most firewalls and security monitoring tools, especially in less tightly controlled development environments.”
The development comes as the software supply chain security company also uncovered over 45 npm packages posing as legitimate libraries available on other ecosystems as a way to trick developers into installing them. Some of the notable ones are listed below –
- beautifulsoup4 (a typosquat of the BeautifulSoup4 Python library)
- apache-httpclient (a typosquat of the Apache HttpClient Java library)
- opentk (a typosquat of the OpenTK .NET library)
- seaborn (a typosquat of the Seaborn Python library)
All the identified packages have been found to share the same infrastructure, use similar obfuscated payloads, and point to the same IP address, despite listing different maintainers, indicating the work of a single threat actor.
“Packages identified as part of this campaign contain obfuscated code designed to bypass security measures, execute malicious scripts, exfiltrate sensitive data, and maintain persistence on affected systems,” Socket said.
