Cybersecurity researchers have uncovered a malicious package on the Python Package Index (PyPI) repository that poses as a harmless Discord-related utility but actually contains a remote access trojan.
The package, known as discordpydebug, was uploaded to PyPI on March 21, 2022. Despite being downloaded 11,574 times, it remains accessible on the open-source registry without any updates.
Initially appearing as a simple utility for Discord bot developers using the Discord.py library, the package was found to harbor a fully functional remote access trojan (RAT), the Socket Research Team revealed.
Upon installation, the package establishes contact with an external server (“backstabprotection.jamesx123.repl[.]co”) and includes functions to manipulate files through commands received from the server. Additionally, the RAT can execute shell commands.
Overall, discordpydebug could be utilized to access sensitive data, modify files, download additional payloads, and extract data by running commands.
“While lacking mechanisms for persistence or privilege escalation, the simplicity of the code makes it highly effective,” Socket noted. “Using outbound HTTP polling instead of inbound connections enables it to evade most firewalls and security tools, especially in less restrictive development environments.”
This discovery coincides with the identification of over 45 npm packages masquerading as legitimate libraries on different ecosystems to deceive developers into installing them. Some notable examples include:
- beautifulsoup4 (impersonating the BeautifulSoup4 Python library)
- apache-httpclient (mimicking the Apache HttpClient Java library)
- opentk (posing as the OpenTK .NET library)
- seaborn (pretending to be the Seaborn Python library)
All these packages share the same infrastructure, use similar obfuscated payloads, and point to the same IP address, despite listing different maintainers, indicating the work of a single threat actor.
“The packages involved in this campaign contain obfuscated code designed to evade security measures, execute malicious scripts, extract sensitive data, and maintain persistence on compromised systems,” Socket stated.
