Threat Research

Malicious ‘Checker’ Packages on PyPI Probe TikTok and Instagram for Valid Accounts

SocketDev
Malicious ‘Checker’ Packages on PyPI Probe TikTok and Instagram for Valid Accounts

Three malicious Python packages—checker-SaGaF, steinlurks, and sinnercore—are actively abusing TikTok and Instagram internal APIs to verify if emails are linked to valid accounts, facilitating attacker reconnaissance and credential-based exploits. These packages pose a high supply chain security risk due to unauthorized network access and are used to build targeted attack lists impacting social media platforms like TikTok and Instagram. #TikTok #Instagram

Keypoints

  • Malicious Python packages on PyPI (checker-SaGaF, steinlurks, sinnercore) abuse internal and private APIs of TikTok and Instagram to check if emails correspond to valid accounts.
  • Checker-SaGaF uses TikTok’s private password recovery API to confirm email registration, simulating legitimate app requests to evade detection.
  • Steinlurks implements five different Instagram email-checking functions to evade detection by cycling across multiple Instagram internal APIs and mimicking legitimate user agents.
  • Sinnercore triggers Instagram’s password reset flow by sending forged requests with randomized headers and CSRF tokens, also including OSINT and crypto utility features.
  • These packages enable attackers to assemble live user account lists for credential stuffing, password spraying, doxing, fake reporting, or selling verified email databases on the dark web.
  • Socket Security flagged these packages as malware due to unauthorized network access and malicious behavior, reporting them to the PyPI security team.
  • Defensive recommendations include monitoring credential leaks, reducing informative login error messages, and using tools like Socket’s GitHub App and browser extensions to detect malicious dependencies.

MITRE Techniques

  • [T1036.005] Masquerading – The packages mimic legitimate client applications by forging User-Agent strings and headers to evade detection. (“The code then follows the same logic of interpreting error codes… mimicking real app data and device identifiers”)
  • [T1059.006] Command and Scripting Interpreter: Python – Malicious Python scripts automate credential validation by abusing internal APIs. (“Checker-SaGaF, steinlurks, and sinnercore, were all live on the Python Package Index”)
  • [T1071.001] Application Layer Protocol: Web Protocols – Abuse of web APIs via HTTP POST requests to validate account existence. (“It then sends the POST request to TikTok’s internal API with the forged headers and data”)
  • [T1078] Valid Accounts – Verification of valid user accounts by checking if emails belong to active accounts on TikTok and Instagram. (“By checking for this string, the attacker can determine if the email is valid”)
  • [T1110.001] Brute Force: Password Guessing – Used indirectly as verified accounts facilitate password guessing attempts. (“Threat actors can target their exploits” after confirming valid accounts)
  • [T1110.003] Brute Force: Password Spraying – Validated account lists enable large-scale password spraying campaigns. (“Validated user lists are also sold on the dark web for profit”)
  • [T1589.001] Gather Victim Identity Information: Credentials – Collection of personal emails associated with accounts. (“Threat actors have collected personal emails before initiating an exploit”)
  • [T1589.002] Gather Victim Identity Information: Email Addresses – Email verification through API abuse. (“Abusing the internal API endpoint to check if an email is registered”)
  • [T1592] Gather Victim Identity Information – Attackers gather victim info silently, including user bio translations and Telegram data. (“The rest of sinnercore focuses on silent OSINT, like pulling user info and translating text”)
  • [T1596] Search Open Websites/Domains – Automated enumeration against public and internal APIs. (“Checkers operate by systematically testing these credentials against login interfaces”)

Indicators of Compromise

  • [URLs] Malicious API endpoints targeted – hxxps://i.instagram.com/api/v1/bloks/apps/com.bloks.www.caa.ar.search.async/, hxxps://api2-19-h2.musical.ly/aweme/v1/passport/find-password-via-email/
  • [Python Packages] Malicious PyPI packages – checker-SaGaF, steinlurks, sinnercore flagged for supply chain risks
  • [Emails] Threat actor registration addresses – [email protected]@gmail.com (used for PyPI registrations)
  • [HTTP Headers/User-Agents] Randomized and forged user agents mimicking Instagram Android app versions, e.g., “Instagram 167.0.0.31.121 Android (30/11; 1440dpi; 2560×1440; samsung; SM-G973F; arm64v8a; phone; enUS; qcom)”

Read more: https://socket.dev/blog/malicious-checker-packages-on-pypi-probe-tiktok-and-instagram