CyberSecurity news
FlagThis - #pypi
|
@socket.dev
//
A malicious Python package named 'discordpydebug' has been discovered on the Python Package Index (PyPI) repository, posing a significant threat to Discord developers. The package, disguised as a simple utility for debugging Discord bots, actually contains a remote access trojan (RAT). This RAT allows attackers to execute commands and exfiltrate data from infected systems via a covert command-and-control (C2) channel. The 'discordpydebug' package was uploaded on March 21, 2022, and has since been downloaded over 11,000 times, putting numerous developer systems at risk.
The 'discordpydebug' package targets developers who build or maintain Discord bots. The attackers took advantage of the fact that PyPI doesn't enforce strict security audits, misleading developers with a legitimate-sounding name and copying code from popular projects to appear trustworthy. The package establishes communication with an attacker-controlled server at "backstabprotection.jamesx123.repl[.]co", and includes features to read and write arbitrary files based on commands received from the server, along with the ability to run shell commands. The simplicity of the RAT is what makes it effective. The package avoids inbound connections, instead opting for outbound HTTP polling to bypass firewalls and security monitoring tools, especially in less controlled development environments. This discovery highlights the increasing danger of software supply chain attacks and the importance of vigilance when installing packages from open-source repositories. The Socket Research Team urges developers to be cautious and scrutinize any third-party tools or code snippets shared within the Discord developer community. Recommended read:
References :
securebulletin.com@Secure Bulletin
//
Attackers are increasingly turning to trusted services like Gmail and Google APIs to create stealthy command-and-control (C2) channels. This tactic allows them to mask malicious activities within legitimate network traffic, making detection and mitigation significantly harder. By leveraging platforms like Gmail and Google Drive, threat actors can embed their communications within encrypted channels provided by reputable services, bypassing many traditional security measures. These communications are encrypted by Gmail’s TLS, further complicating detection efforts.
A recent investigation by Socket's Threat Research Team uncovered a campaign using malicious Python packages to establish covert tunnels via Gmail’s SMTP protocol, enabling attackers to exfiltrate data and execute remote commands undetected. Seven malicious PyPI packages, operating under the "Coffin Codes" theme, were found abusing Gmail's SMTP servers and WebSockets for data exfiltration and remote command execution. These packages, once installed, establish an encrypted connection to Gmail’s SMTP server using hardcoded credentials, sending signals and critical information to attacker-controlled email addresses. The identified packages include Coffin-Codes-Pro, Coffin-Codes-NET2, Coffin-Codes-NET, Coffin-Codes-2022, Coffin2022, Coffin-Grave, and cfc-bsb. While the packages have been removed from PyPI, one of them was downloaded over 18,000 times before removal. The most advanced variants of the packages also establish outbound WebSocket connections, enabling attackers to issue commands, transfer files, and potentially gain deeper access into the victim's network. This highlights the ongoing risks posed by supply chain attacks and the exploitation of trusted cloud services. Recommended read:
References :
Mandvi@Cyber Security News
//
Cybersecurity researchers have recently identified several malicious Python packages on the Python Package Index (PyPI) repository that were designed to steal sensitive information, particularly credit card details and cryptocurrency-related data. These packages, downloaded over 39,000 times before their removal, demonstrate an increasing threat to software supply chains and the vulnerability of developers relying on open-source repositories. The malicious packages targeted both e-commerce platforms and cryptocurrency users, employing various techniques to evade detection and compromise sensitive data.
The most prevalent of these packages, "disgrasya," which translates to 'accident' or 'disaster' in Filipino, was downloaded over 34,000 times and functioned as a fully automated carding toolkit. This package specifically targeted WooCommerce stores integrated with CyberSource payment gateways, automating the process of validating stolen credit card information. It emulated legitimate shopping activity, programmatically adding items to a cart, navigating to the checkout page, and filling out the payment form, effectively bypassing fraud detection systems. Stolen card data, including numbers, expiration dates, and CVVs, was then exfiltrated to an external server controlled by the attacker. Two other packages, "bitcoinlibdbfix" and "bitcoinlib-dev," masqueraded as fixes for issues in the legitimate "bitcoinlib" Python module. These packages attempted to overwrite the 'clw cli' command with malicious code designed to steal sensitive database files, potentially compromising cryptocurrency wallets and transactions. Researchers noted that the authors of these counterfeit libraries even engaged in GitHub issue discussions, attempting to trick users into downloading and running the malicious code. The discovery of these packages highlights the ongoing need for robust security measures and vigilance within the open-source software ecosystem. Recommended read:
References :
Bill Toulas@BleepingComputer
//
A malicious Python package, "disgrasya," has been discovered on the Python Package Index (PyPI) repository, posing a significant threat to e-commerce platforms. The package, which translates to "disaster" in Filipino slang, contains a fully automated carding script specifically designed to target WooCommerce stores that utilize the CyberSource payment gateway. This malicious tool allows attackers to test stolen credit card information against live e-commerce payment systems, streamlining the process of identifying valid cards for fraudulent activities. Unlike typical supply chain attacks, "disgrasya" made no attempt to conceal its malicious intent, openly serving as a distribution mechanism for fraudsters.
The "disgrasya" package automates the entire carding workflow, mimicking legitimate customer behavior to bypass fraud detection systems. The script starts by identifying a product on the targeted WooCommerce store and simulates adding items to the cart. It then gathers security tokens and proceeds to tokenize stolen credit card data using CyberSource's mechanisms, submitting it through WooCommerce's checkout endpoints. If the card is valid, the attacker receives confirmation without triggering typical fraud prevention measures like CAPTCHAs. Alarmingly, the script also exfiltrates stolen card data, including numbers, expiration dates, CVVs, and tokenized representations, to an external server controlled by the attacker. Before its discovery and removal from PyPI, "disgrasya" was downloaded over 37,217 times, highlighting the scale of the potential threat. This widespread distribution suggests that the tool may already be in active use across numerous fraud campaigns, posing a growing financial risk to businesses. The carding attack facilitated by "disgrasya" contributes to the rising costs of online payment fraud, which is estimated to cost merchants over $362 billion globally between 2023 and 2028. Security measures such as monitoring traffic patterns, implementing CAPTCHAs, and rate limiting on checkout and payment endpoints can help mitigate the threat posed by "disgrasya" and similar malicious packages. Recommended read:
References :
Samarth Mishra@cysecurity.news
//
A malicious Python package named 'set-utils' has been discovered on the Python Package Index (PyPI) repository. This package is designed to steal Ethereum private keys by exploiting commonly used account creation functions. Disguised as a utility for Python sets, the package mimics popular libraries, tricking developers into installing it. Since its appearance, 'set-utils' has been downloaded over 1,000 times, posing a significant threat to Ethereum users and developers, particularly those working with Python-based wallet management libraries. The Python security team has removed the malicious package from PyPI.
The 'set-utils' package operates by silently modifying standard Ethereum wallet creation functions. The private keys are exfiltrated within blockchain transactions via the Polygon RPC endpoint to resist traditional detection efforts. The stolen keys are encrypted using an attacker-controlled RSA public key before transmission, making detection challenging. Even if the package is uninstalled, any Ethereum wallets created while it was active remain compromised. To mitigate these risks, developers should employ regular dependency audits and automated scanning tools to detect malicious behaviors in third-party packages. Recommended read:
References :
@Talkback Resources
//
Millions of WordPress websites face potential script injection attacks due to a critical vulnerability found in the Essential Addons for Elementor plugin, which is installed on over 2 million sites. The flaw, identified as CVE-2025-24752 with a high severity score of 7.1, allows attackers to execute reflected cross-site scripting (XSS) attacks. This is achieved by exploiting insufficient input sanitization within the plugin's password reset functionality, specifically through malicious URL parameters.
A fake WordPress plugin has also been discovered injecting casino spam, impacting website SEO. In a separate incident, cybersecurity researchers have flagged a malicious Python library on the PyPI repository, named 'automslc', which facilitates over 100,000 unauthorized music downloads from Deezer. The package bypasses Deezer's API restrictions by embedding hardcoded credentials and communicating with an external command-and-control server, effectively turning user systems into a botnet for music piracy. Recommended read:
References :
|