Threat Research

Malicious PyPI Package Targets Discord Developers with Remote Access Trojan

SocketDev
Malicious PyPI Package Targets Discord Developers with Remote Access Trojan
EXTRACT IOC
A malicious Python package named “discordpydebug” disguised as a debugging tool was uploaded to PyPI, infecting over 11,000 developer systems with a remote access trojan (RAT) that enables file manipulation and remote command execution. (Affected: Python developers, Discord bot developers, software supply chain)

Keypoints :

  • A Python package named “discordpydebug” was uploaded to PyPI, masquerading as a Discord.py debugging utility.
  • The package contained a remote access trojan (RAT) capable of full remote control over infected systems.
  • The package was downloaded over 11,000 times, primarily by Discord bot developers and small teams.
  • The malware communicated with a command-and-control (C2) server hosted at backstabprotection.jamesx123.repl.co via HTTPS.
  • It featured capabilities to read, write files, and execute arbitrary shell commands on the host system.
  • The RAT runs a continuous polling loop, fetching commands every second and sending responses back to the attacker.
  • This backdoor leverages outbound HTTP connections, helping it evade firewalls and detection systems.
  • Potential impacts include data theft, unauthorized file access, remote code execution, and lateral movement within networks.
  • The package lacked persistence or privilege escalation features but posed significant risk due to ease of infection.
  • Security teams reported the package to PyPI; it has been removed but highlights ongoing supply chain risks.

MITRE Techniques :

  • Web Protocols (T1071.001) – Uses HTTPS to communicate with the attacker’s command-and-control (C2) server.
  • Python (T1059.004) – Executes shell commands on the host using Python’s subprocess module.
  • File and Directory Discovery (T1083) – Reads files on the infected system when triggered by C2 commands.
  • Data from Local System (T1005) – Collects sensitive files such as configuration files or tokens.
  • Exfiltration Over C2 Channel (T1041) – Sends stolen data back to the attacker via HTTP POST requests.
  • Obfuscated Files or Information (T1027) – Masquerades as a legitimate debugging package to evade detection.

Indicator of Compromise :

  • The article identifies the C2 domain backstabprotection.jamesx123.repl.co used for command and control communication.
  • URL endpoints such as https://backstabprotection.jamesx123.repl.co/ and /output are indicators of malicious traffic.
  • Network traffic showing frequent HTTP POST requests from developer machines to this domain can indicate infection.
  • The presence of the Python package “discordpydebug” in PyPI package installations is itself an IOC.

Read more: https://socket.dev/blog/malicious-pypi-package-targets-discord-developers-with-RAT

Views: 32

Tags: BROWSER, EXFILTRATION, DISCOVERY, SOCIAL ENGINEERING, EXPLOIT, LATERAL MOVEMENT, BACKDOOR, TROJAN