Malicious PyPi Packages Abuse Gmail and WebSockets for System Hijacking
Seven malicious PyPi packages have been discovered exploiting Gmail’s SMTP servers and WebSockets to carry out remote command execution and data exfiltration. The packages, which were on PyPi for over four years, were identified by Socket’s threat research team. Following their findings, the team reported the issue to PyPi, leading to the removal of these packages.
Despite their removal, these malicious packages had already been downloaded extensively, with one of them reaching over 18,000 downloads, according to third-party download counters.
List of Malicious Packages:
The malicious packages, found to be impersonating legitimate packages, were:
- Coffin-Codes-Pro (9,000 downloads)
- Coffin-Codes-NET2 (6,200 downloads)
- Coffin-Codes-NET (6,100 downloads)
- Coffin-Codes-2022 (18,100 downloads)
- Coffin2022 (6,500 downloads)
- Coffin-Grave (6,500 downloads)
- cfc-bsb (2,900 downloads)
These packages masqueraded as the Coffin package, which is a legitimate tool for integrating Jinja2 templates into Django projects.
Malicious Functionality and Exploits:
Socket’s team discovered that the malicious functionality in these packages involved using hardcoded Gmail credentials to log into Gmail’s SMTP server (smtp.gmail.com), sending out reconnaissance information. This allowed attackers to remotely access the compromised systems.
Since Gmail is a trusted service, firewalls and Endpoint Detection and Response (EDR) systems typically do not flag this activity as suspicious. After sending out email signals, the malware then established a persistent WebSocket connection over SSL, creating an encrypted, bidirectional tunnel between the compromised host and the attacker’s server.
This tunnel facilitated numerous malicious actions, including:
- Internal admin panel and API access
- File transfers
- Email exfiltration
- Shell command execution
- Credentials harvesting
- Lateral movement
Indications of Cryptocurrency Theft:
Socket’s research also highlighted that these malicious packages likely had an intent to steal cryptocurrency. Indicators such as email addresses like blockchain.bitcoins2020@gmail.com suggest that the attackers were targeting crypto assets, using similar methods previously seen in attacks to steal Solana private keys.
What You Should Do:
If any of the above packages have been installed in your environment, remove them immediately and take steps to rotate your keys and credentials to prevent further exploitation.
Crypto-Specific Malware:
Meanwhile, another crypto-stealing package, named crypto-encrypt-ts, was found in npm. This package, which masquerades as a TypeScript version of the CryptoJS library, exfiltrates cryptocurrency wallet secrets and environment variables to a Better Stack endpoint controlled by threat actors. The package persists on infected systems via cron jobs and specifically targets wallets with balances exceeding 1,000 units, attempting to steal their private keys.
