Fortinet FortiGuard Labs identified a malicious PyPI package named zlibxjson version 8.2 that steals Discord tokens, browser cookies, and saved passwords, underscoring the security risks of software dependencies. The package, published on June 29, 2024, was detected by FortiGuard AntiVirus and highlighted the need for vigilant dependency management. #zlibxjson #DiscordTokens
Keypoints
- A malicious PyPI package named zlibxjson version 8.2 was published on June 29, 2024 and identified by FortiGuard Labs as high risk.
- Affected platforms: All platforms where PyPI packages can be installed.
- Impacted parties: Individuals and institutions with malicious packages installed.
- Impact: Leakage of credentials and sensitive information (Discord tokens, browser cookies, saved passwords).
- Malicious files include: discord_token_grabber.py, get_cookies.py, and password_grabber.py.
- FortiGuard AntiVirus detects the malicious files and provides protection.
- MITRE-aligned TTPs include Credential Dumping (T1003), Data Exfiltration (T1041), and Persistence (T1053).
MITRE Techniques
- [T1003] Credential Dumping β The malicious files extract and decrypt sensitive information such as Discord tokens and browser cookies. βThe malicious files extract and decrypt sensitive information such as Discord tokens and browser cookies.β
- [T1041] Data Exfiltration β The malicious code sends the extracted tokens and other user information to an external server controlled by the attacker. βThe malicious code sends the extracted tokens and other user information to an external server controlled by the attacker.β
- [T1053] Persistence β The code includes retry mechanisms to ensure continued operation even if some attempts fail. βThe code includes retry mechanisms to ensure continued operation even if some attempts fail.β
Indicators of Compromise
- [File] IOCs β Dscord_token_grabber.pyc (f49ba791814001b3d4101685bfebb635cdaf3103407a08171bb5d6bbe3e79c77), Get_cookies.pyc (f7e8a57b54489b5b3de66a1d21534ced3d2a2fb1ce8d03c69d4672e62aa00dca), and 2 more hashes