Seven malicious packages were identified on PyPI, utilizing Gmail’s SMTP servers and WebSockets for data exfiltration and remote command execution.
Discovery and Removal of Malicious Packages
The threat research team at Socket discovered these packages and reported their findings to PyPI, leading to their removal. Some of these packages had been available for over four years, with one package downloaded more than 18,000 times.
List of Malicious Packages
Here are the malicious packages identified by Socket:
- Coffin-Codes-Pro (9,000 downloads)
- Coffin-Codes-NET2 (6,200 downloads)
- Coffin-Codes-NET (6,100 downloads)
- Coffin-Codes-2022 (18,100 downloads)
- Coffin2022 (6,500 downloads)
- Coffin-Grave (6,500 downloads)
- cfc-bsb (2,900 downloads)
These packages impersonated the legitimate Coffin package, which integrates Jinja2 templates into Django projects.
Malicious Functionality and Operations
Socket’s investigation revealed that these packages enabled covert remote access and data exfiltration through Gmail. They used hardcoded Gmail credentials to log into the SMTP server (smtp.gmail.com) to send reconnaissance data, allowing attackers to remotely access compromised systems.
Techniques for Evasion
Since Gmail is a trusted service, firewalls and endpoint detection and response (EDR) systems are less likely to flag this activity as suspicious. Once the email signaling was complete, the malware connected to a remote server using WebSocket over SSL, establishing a persistent, encrypted, bidirectional tunnel.
Capabilities of the Malware
Using a ‘Client’ class, the malware could:
- Forward traffic from the compromised host to the local system
- Access internal admin panels and APIs
- Transfer files
- Exfiltrate emails
- Execute shell commands
- Harvest credentials
- Move laterally within networks
Indicators of Cryptocurrency Theft
Socket highlighted strong indicators that these packages aimed to steal cryptocurrency, as seen in the email addresses used, such as blockchain.bitcoins2020@gmail.com. This method resembles past tactics used to steal Solana private keys.
If you have installed any of these packages, it is crucial to remove them immediately and rotate any affected keys and credentials.
Related Findings in NPM
A related report by Sonatype researcher Ax Sharma detailed a crypto-stealing package named crypto-encrypt-ts, found on npm. This package masqueraded as a TypeScript version of the now-unmaintained CryptoJS library while exfiltrating cryptocurrency wallet secrets to a threat actor-controlled endpoint.
The malicious package, which persists on infected systems through cron jobs, targets wallets with balances exceeding 1,000 units, attempting to steal their private keys. It was downloaded nearly 2,000 times before being reported and removed.