Summary: A malicious package named ‘automslc’ has been downloaded over 100,000 times from PyPi since 2019, using hard-coded Deezer credentials to pirate music. The tool enables mass-scale piracy by bypassing Deezer’s protections, putting users at risk of legal repercussions and potential malware exposure. The security firm Socket discovered the package, which remains available for download, despite its illegal functions.
Affected: Deezer and PyPi
Keypoints :
- ‘automslc’ abuses hard-coded credentials to log into Deezer and illegally download music.
- The package can act as a command-and-control (C2) tool, making it possible for unauthorized centralized control and potential malware distribution.
- Identities of the package creators remain unknown, but illegal use of the tool poses risks to unsuspecting users.