The Socket team has uncovered a malicious PyPI package named pycord-self that targets Python developers looking for Discord API wrappers. By impersonating the legitimate package discord.py-self, it tricks users into installing it, allowing attackers to steal authentication tokens and establish remote access. This highlights the need for developers to scrutinize package dependencies. Affected: PyPI
Keypoints :
- The malicious package pycord-self mimics the legitimate discord.py-self package.
- Targeted victims include Python developers and Discord bot creators.
- The fraudulent package has significantly fewer downloads compared to the legitimate one.
- Malicious code in pycord-self exfiltrates Discord tokens and establishes a backdoor.
- Developers are advised to verify package authors and use scanning tools.
MITRE Techniques :
- Credential Dumping (T1003): Exfiltration of Discord authentication tokens to a malicious URL.
- Remote Access Software (T1219): Establishment of a backdoor connection to a remote server for persistent access.
Indicator of Compromise :
- [IP Address] 45.159.223.177
- [Domain] radium[lol]
- [URL] http://radium[lol]:42069/v2/3e728hd782dbyu12veyu2gd872fdg235jgg432fg/0/getupdates
- [Port] 6969
- Check the article for all found IoCs.
Full Research: https://socket.dev/blog/malicious-pypi-package-targets-discord-developers-with-token-theft-and-backdoor