This article discusses the discovery of a malicious PyPI package named automslc, which enables unauthorized music downloads from the Deezer streaming service. The package has been downloaded over 100,000 times and facilitates piracy by embedding hardcoded credentials and communicating with a command and control server, thereby violating Deezer’s API terms. Affected: Deezer, PyPI
Keypoints :
- The PyPI package automslc allows unauthorized downloading of music from Deezer.
- It has been downloaded over 100,000 times, disguising itself as a music automation tool.
- The package embeds hardcoded credentials for Deezer and communicates with a C2 server.
- It violates Deezer’s API terms by aggregating and downloading full-length audio files.
- The threat actor behind the package maintains centralized control via a fixed command and control server.
- The article recommends using comprehensive security tools to detect and prevent the installation of such malicious packages.
MITRE Techniques :
- T1195.002 – Supply Chain Compromise: Compromise Software Supply Chain used to exploit vulnerabilities in the software repository.
- T1608.001 – Stage Capabilities: Upload Malware used for deploying the malicious package into the environment.
- T1204.002 – User Execution: Malicious File indicating that users may execute the package unknowingly.
- T1059.006 – Command and Scripting Interpreter: Python used for scripting malicious interactions with Deezer’s API.
- T1071.001 – Application Layer Protocol: Web Protocols indicating the remote communication with the C2 server.
- T1119 – Automated Collection, indicating the automated retrieval and aggregation of track metadata.
Indicator of Compromise :
- [C2 IP] 54.39.49.17
- [Domain] automusic.win
- [Email Address] getmoneykhmt3@gmail.com
- [Email Address] mun87081@cndps.com
- [GitHub] https://github.com/vtandroid
Full Story: https://socket.dev/blog/malicious-pypi-package-exploits-deezer-api-for-coordinated-music-piracy
Views: 23
简体中文
Nederlands
Français
Bahasa Indonesia
日本語
Português