Researchers Uncover Malware in Fake Discord PyPI Package Downloaded 11,500+ Times

Avatar
Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) repository that masquerades as a seemingly harmless Discord-related utility but incorporates a remote access trojan. The package in question is discordpydebug, which was uploaded to PyPI on March 21, 2022. It has been downloaded 11,574 times and continues to be available on the open-source registry.
[[{“value”:”

Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) repository that masquerades as a seemingly harmless Discord-related utility but incorporates a remote access trojan.

The package in question is discordpydebug, which was uploaded to PyPI on March 21, 2022. It has been downloaded 11,574 times and continues to be available on the open-source registry. Interestingly, the package has not received any update since then.

“At first glance, it appeared to be a simple utility aimed at developers working on Discord bots using the Discord.py library,” the Socket Research Team said. “However, the package concealed a fully functional remote access trojan (RAT).”

The package, once installed, contacts an external server (“backstabprotection.jamesx123.repl[.]co”), and includes features to read and write arbitrary files based on commands, readfile or writefile, received from the server. The RAT also supports the ability to run shell commands.

In a nutshell, discordpydebug could be used to read sensitive data, such as configuration files, tokens, and credentials, tamper with existing files, download additional payloads, and run commands to exfiltrate data.

“While the code does not include mechanisms for persistence or privilege escalation, its simplicity makes it particularly effective,” Socket said. “The use of outbound HTTP polling rather than inbound connections allows it to bypass most firewalls and security monitoring tools, especially in less tightly controlled development environments.”

The development comes as the software supply chain security company also uncovered over 45 npm packages posing as legitimate libraries available on other ecosystems as a way to trick developers into installing them. Some of the notable ones are listed below –

beautifulsoup4 (a typosquat of the BeautifulSoup4 Python library)
apache-httpclient (a typosquat of the Apache HttpClient Java library)
opentk (a typosquat of the OpenTK .NET library)
seaborn (a typosquat of the Seaborn Python library)

All the identified packages have been found to share the same infrastructure, use similar obfuscated payloads, and point to the same IP address, despite listing different maintainers, indicating the work of a single threat actor.

“Packages identified as part of this campaign contain obfuscated code designed to bypass security measures, execute malicious scripts, exfiltrate sensitive data, and maintain persistence on affected systems,” Socket said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Previous Post

NSO Group Fined $168M for Targeting 1,400 WhatsApp Users With Pegasus Spyware

Next Post

Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day to Breach U.S. Organization

Related Posts

Hackers Target Over 70 Microsoft Exchange Servers to Steal Credentials via Keyloggers

Unidentified threat actors have been observed targeting publicly exposed Microsoft Exchange servers to inject malicious code into the login pages that harvest their credentials. Positive Technologies, in a new analysis published last week, said it identified two different kinds of keylogger code written in JavaScript on the Outlook login page - Those that save collected data to a local file
Avatar
Read More

WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a Global Scam Network

The threat actors behind the VexTrio Viper Traffic Distribution Service (TDS) have been linked to other TDS services like Help TDS and Disposable TDS, indicating that the sophisticated cybercriminal operation is a sprawling enterprise of its own that's designed to distribute malicious content. "VexTrio is a group of malicious adtech companies that distribute scams and harmful software via
Avatar
Read More