Attackers are continuing to use popular open-source POD repositories as a method to spread malicious code. Recently, experts from Socket found suspicious packages in the Python Package Index (PYPI) that were impersonating useful tools but were actually collecting information about users on Instagram, Tiktok, and Telegram.
Three harmful libraries, named “Checker-Sagaf”, “Steinlurks”, and “Sinnercore”, were uploaded to PYPI over the past months and were downloaded over 6 thousand times. Although they have been removed, the consequences of their use could be significant.
“Checker-Sagaf” checked if a specified email was associated with Tiktok and Instagram accounts by sending HTTP posts to their password restoration interfaces. This made it easy to confirm stolen addresses to be used in various attacks, such as phishing, spam, or targeted selection of accounts.
The “Steinlurks” package followed a similar pattern but focused specifically on Instagram. It mimicked Android applications and sent fake requests to Instagram API entities in an attempt to bypass platform security measures and validate accounts.
“Sinnercore” went a step further by initiating a fake password recovery process for the user name on Instagram and collecting data from Telegram profiles. It also included cryptocurrency utilities for obtaining Binance rates, currency conversion functions, and tools for gathering information about other PYPI packages.
These actions aim to gather valid email addresses and accounts for potential use in future attacks or for sale on the black market. What may appear as harmless tools at first glance are actually part of extensive attack chains and make detection more difficult.
In early May, a malicious PYPI package named “DBGPKG” was discovered disguised as a debugging tool but introducing a BECDOR into the developer system for remote code execution and data leakage. Analysis revealed similarities to previous packages like “Discordpydebug” and “RequestSDEV”.