FlagThis

Seven malicious Python packages have been discovered on the Python Package Index (PyPI), exploiting Gmail's SMTP servers and WebSockets for covert data exfiltration and remote command execution. According to a detailed technical report by Socket’s Threat Research Team, these packages were designed to establish Gmail-based command-and-control (C2) tunnels, effectively bypassing security measures. The malicious packages include Coffin-Codes-Pro, Coffin-Codes-NET2, Coffin-Codes-NET, Coffin-Codes-2022, Coffin2022, Coffin-Grave, and cfc-bsb, some of which remained available on PyPI for over four years and were downloaded thousands of times.

The packages create outbound tunnels from infected machines using Gmail’s SMTP infrastructure, enabling them to bypass firewalls and endpoint defenses that typically trust outbound email traffic. The most alarming variant, Coffin-Codes-Pro, connects to Gmail’s SMTP server using hardcoded credentials and sends confirmation emails to acknowledge successful implantation. After this exchange, the package establishes a WebSocket tunnel and spins up a TCP forwarder, allowing remote attackers to interact with services behind NATs or firewalls with full duplex communication.

Researchers found slight variations in email accounts and port-handling behavior across the package versions, but all followed the same overarching architecture. Some packages use different Gmail credentials, while the earliest package, cfc-bsb, lacks direct exfiltration functionality but retains suspicious tunneling capabilities. Attackers could use these tunnels to access internal dashboards, APIs, admin panels, and even execute scripts or shell commands, extending the threat far beyond digital wallets. Socket advises monitoring outbound SMTP traffic to defend against such attacks.

ImgSrc: www.bleepstatic

References :

• securityonline.info: Malicious Python Packages Exploited Gmail as Covert Command-and-Control Channels
• BleepingComputer: Malicious PyPI packages abuse Gmail, websockets to hijack systems
• bsky.app: Seven malicious PyPi packages were found using Gmail's SMTP servers and WebSockets for data exfiltration and remote command execution.
• bsky.app: Socket Security has spotted seven malicious PyPI packages that use Gmail SMTP servers as tunnels to infected systems
• socket.dev: Packages use Gmail, making these attempts less likely to be flagged by firewalls and endpoint detection systems since SMTP is commonly treated as legitimate traffic.
• securityonline.info: Malicious Python Packages Exploited Gmail as Covert Command-and-Control Channels
• Cyber Security News: Seven Malicious Packages Exploit Gmail SMTP to Execute Harmful Commands
• gbhackers.com: Seven Malicious Packages Exploit Gmail SMTP to Run Harmful Commands
• Virus Bulletin: Socket’s Threat Research Team uncovered malicious Python packages designed to create a tunnel via Gmail. These seven packages: use Gmail, making these attempts less likely to be flagged by firewalls and endpoint detection systems since SMTP is commonly treated as legitimate traffic.
• gbhackers.com: Seven Malicious Packages Exploit Gmail SMTP to Run Harmful Commands
• cyberpress.org: Seven Malicious Packages Exploit Gmail SMTP to Execute Harmful Commands
• socket.dev: Using Trusted Protocols Against You: Gmail as a C2 Mechanism
• Secure Bulletin: Hijacking Trust: how Gmail and Google APIs are being weaponized for stealthy C2 channels
• securebulletin.com: Hijacking Trust: how Gmail and Google APIs are being weaponized for stealthy C2 channels
• bsky.app: Socket Security has spotted seven malicious PyPI packages that use Gmail SMTP servers as tunnels to infected systems

Classification:

• HashTags: #PyPI #SupplyChain #Gmail
• Company: Google
• Target: Developers
• Product: Gmail
• Feature: SMTP abuse
• Type: Malware
• Severity: Major