Malicious packages were found in the Python repository PyPI that used social media APIs to check whether a particular email address was associated with them. This information could be used by attackers to launch attacks.
Malicious packages were found in the Python repository PyPI that used social media APIs to check whether a particular email address was associated with them. This information could be used by attackers to launch attacks.
This was reported by The Hacker News, citing a researcher at Socket. Olivia Brown reported that the attackers uploaded Trojan libraries to PyPI under the names checker-SaGaF, steinlurks, and sinnercore. They have since been removed from the platform, but they managed to collect more than 6,900 downloads. Source: Socket, The Hacker News
The main task of these packages is to check whether a given email address is associated with a TikTok or Instagram account. For example, checker-SaGaF sent requests to TikTok’s password recovery and Instagram’s login functions. If the API response confirmed that the account existed, the address was considered valid.
Such «checkers» help hackers form lists of real accounts for further attacks: from spam to password hacking. Email address validation is an important link in the preparation of phishing campaigns, credential stuffing, or selling databases on the dark web.
Another package, steinlurks, mimicked requests from the Instagram Android app to evade detection. It accessed various internal APIs, including i.instagram.com/api/v1/users/lookup/.
Sinnercore went even further — it not only verified accounts, but also collected data from Telegram (name, ID, status), worked with cryptocurrency rates on Binance, and even searched for package information on PyPI itself. This could be used to create fake profiles of supposedly «real» developers.
This is not the first time PyPI has been abused to distribute malware. Just recently, analysts from ReversingLabs discovered another package, dbgpkg, that installed a backdoor on a developer’s computer.
Recall that recently, our news feed published an article about how hackers had been distributing a malicious version of KeePass for at least eight months, which installs Cobalt Strike, steals passwords, and adds programs that harm the device.
