A malicious Python package named “discordpydebug” was identified on PyPI, masquerading as a development utility and used to deliver remote access Trojan (RAT) malware. The malware can backdoor Discord developers’ systems, enabling data theft, remote code execution, and system monitoring. (Affected: Discord developers and systems using the package)
Keypoints :
- The “discordpydebug” package was downloaded over 11,000 times since March 2022 despite lacking documentation.
- The malware installed transforms affected devices into remote-controlled systems, allowing attackers to execute commands remotely.
- It uses outbound HTTP polling to communicate with attacker-controlled C2 servers, bypassing firewalls and security software.
- The package can read and write files on the host machine, capturing sensitive data like tokens and keys.
- Attackers can use the malware for credential theft, data exfiltration, lateral movement, and deploying additional payloads.
- There are no persistence or privilege escalation mechanisms, but stealthy communication makes detection challenging.
- Developers are advised to verify package sources, review open-source code, and use security tools to prevent installation of malicious packages.