In this news:
Skip to main content
Tech Radar Pro
Tech Radar Gaming
Tech Radar Pro
TechRadar the business technology experts
Search TechRadar
View Profile
België (Nederlands)
Deutschland
North America
US (English)
Australasia
New Zealand
Expert Insights
Website builders
Web hosting
World Password Day
Best website builder
Best web hosting
Best office chairs
Expert Insights
Gmail servers hijacked by malicious PyPI packages to spread havoc - here's how to stay safe
Sead Fadilpašić
Researchers uncover multiple malicious PyPI packages
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
(Image credit: Shutterstock / Trismegist san)
Socket found seven malicious packages on PyPI
The packages were abusing Gmail and WebSocket
They were removed from the platform
Several malicious PyPI packages were recently observed abusing Gmail to exfiltrate stolen sensitive data and communicate with their operators.
Cybersecurity researchers Socket, who found the packages, reported them to the Python repository and thus helped get them removed from the platform - however the damage has already been done.
According to Socket, there were seven malicious PyPI packages, some of which were sitting on the platform for more than four years. Cumulatively, they had more than 55,000 downloads. Most are an imitation of the legitimate Coffin package, with names like Coffin-Codes-Pro, Coffin-Codes, NET2, Coffin-Codes-NET, Coffin-Codes-2022, Coffin2022, and Coffin-Grave. One was called cfc-bsb.
You may like
Malicious Python packages are stealing vital data, and have been downloaded thousands of times already
A cracked malicious version of a Go package lay undetected online for years
Malicious npm packages use devious backdoors to target users
Get Keeper Personal for just $1.67/month, Keeper Family for just $3.54/month, and Keeper Business for just $7/month
Keeper is a cybersecurity platform primarily known for its password manager and digital vault, designed to help individuals, families, and businesses securely store and manage passwords, sensitive files, and other private data.
It uses zero-knowledge encryption and offers features like two-factor authentication, dark web monitoring, secure file storage, and breach alerts to protect against cyber threats.
Preferred partner (What does this mean?)
Compromised hosting accounts
The researchers explained that once the package is installed on the victim device, it connects to Gmail using hardcoded credentials, and contacts the C2 server.
It then creates a tunnel using WebSockets, and since Gmail’s email server is being used for communication, the communication bypasses most firewalls and other security measures.
As a result, the attackers are able to send commands, steal files, run code, and even access systems remotely.
However, it seems that the crooks were mostly interested in crypto theft, since one of the email addresses the malware was reaching out to had the words “blockchain” and “bitcoin” it it:
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
“Coffin-Codes-Pro establishes a connection to Gmail’s SMTP server using hardcoded credentials, namely sphacoffin@gmail[.]comand a password,” the report says.
“It then sends a message to a second email address, blockchain[.]bitcoins2020@gmail[.]com politely and demurely signaling that the implant is working.”
Socket has warned all Python users running any of the packages in their environment to remove them immediately and rotate keys and credentials as needed.
The researchers also urged everyone to watch for unusual outbound connections, “especially SMTP traffic”, and warned them not to trust a package just because it was a few years old.
"To protect your codebase, always verify package authenticity by checking download counts, publisher history, and GitHub repository links,” they added.
“Regular dependency audits help catch unexpected or malicious packages early. Keep strict access controls on private keys, carefully limiting who can view or import them in development. Use isolated, dedicated environments when testing third-party scripts to contain potentially harmful code.”
Via BleepingComputer
You might also like
US government warns this popular CMS software has a worrying security flaw
Take a look at our guide to the best authenticator app
We've rounded up the best password managers
Sead Fadilpašić
Social Links Navigation
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
Malicious Python packages are stealing vital data, and have been downloaded thousands of times already
A cracked malicious version of a Go package lay undetected online for years
Malicious npm packages use devious backdoors to target users
Hundreds of GitHub repositories hijacked to trick users into downloading malware
North Korean hackers are using LinkedIn to entice developers to coding challenges - here's what you need to know
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Latest in Security
WordPress sites targeted by malicious plugin disguised as security tool
TeleMessage, the Signal-esque app used by the Trump administration, has been hacked
Co-op crisis deepens as it admits UK customer data stolen in cyberattack - up to 20 million people possibly affected, here's what we know
US DOD wants right-to-repair provisions in Army contracts to access tools, software, and technical data without IP constraints
Hacker pleads guilty to illegally accessing Disney Slack channels and stealing huge tranche of data
Three massive UK retailers have been hit by cyber attacks this week – so what's going on?
Latest in News
Microsoft has fixed a bug in Windows 10 that broke part of the Start menu – and the reason why this happened might annoy you
The latest Galaxy Z Fold 7 and Galaxy Z Flip 7 rumors hint at an imminent launch, and a battery upgrade for one model
WordPress sites targeted by malicious plugin disguised as security tool
Been hiding from Windows 11 24H2 due to the fuss about all the bugs? There’s nowhere to run now as Microsoft’s made the update compulsory
Major DJI Osmo 360 leak includes dozens of images of the 360-degree camera – and its manual
TeleMessage, the Signal-esque app used by the Trump administration, has been hacked
LATEST ARTICLES
Glass out, plastic in: New fiber optic technology set to be deployed in AI data centers is both cheaper and faster
Wuchang: Fallen Feathers promises an action-packed romp through Ming Dynasty-era China
Microsoft has fixed a bug in Windows 10 that broke part of the Start menu – and the reason why this happened might annoy you
WordPress sites targeted by malicious plugin disguised as security tool
'I’m such a huge sci-fi nerd': Murderbot stars reveal what attracted them to the unusual Apple TV+ show
TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.
Contact Future's experts
Terms and conditions
Privacy policy
Cookies policy
Advertise with us
Web notifications
Accessibility Statement
Future US, Inc. Full 7th Floor, 130 West 42nd Street,
Please login or signup to comment
Please wait...
.png)
