Gmail servers hijacked by malicious PyPI packages to spread havoc - here's
how to stay safe
Date:
Mon, 05 May 2025 13:05:00 +0000
Description:
Researchers found multiple malicious PyPI packages, some several years old, but still a threat.
FULL STORY ======================================================================Socket found seven malicious packages on PyPI The packages were abusing Gmail and WebSocket They were removed from the platform
Several malicious PyPI packages were recently observed abusing Gmail to exfiltrate stolen sensitive data and communicate with their operators.
Cybersecurity researchers Socket, who found the packages, reported them to
the Python repository and thus helped get them removed from the platform - however the damage has already been done.
According to Socket, there were seven malicious PyPI packages, some of which were sitting on the platform for more than four years. Cumulatively, they had more than 55,000 downloads. Most are an imitation of the legitimate Coffin package, with names like Coffin-Codes-Pro, Coffin-Codes, NET2, Coffin-Codes-NET, Coffin-Codes-2022, Coffin2022, and Coffin-Grave. One was called cfc-bsb.
Get Keeper Personal for just $1.67/month, Keeper Family for just
$3.54/month, and Keeper Business for just $7/month
Keeper is a cybersecurity platform primarily known for its password manager and digital vault, designed to help individuals, families, and businesses securely store and manage passwords, sensitive files, and other private data.
It uses zero-knowledge encryption and offers features like two-factor authentication, dark web monitoring, secure file storage, and breach alerts
to protect against cyber threats.
Preferred partner ( What does this mean? ) View Deal Compromised hosting accounts
The researchers explained that once the package is installed on the victim device, it connects to Gmail using hardcoded credentials, and contacts the C2 server.
It then creates a tunnel using WebSockets, and since Gmails email server is being used for communication, the communication bypasses most firewalls and other security measures.
As a result, the attackers are able to send commands, steal files, run code, and even access systems remotely.
However, it seems that the crooks were mostly interested in crypto theft, since one of the email addresses the malware was reaching out to had the
words blockchain and bitcoin it it:
Coffin-Codes-Pro establishes a connection to Gmails SMTP server using hardcoded credentials, namely sphacoffin@gmail[.]comand a password, the
report says.
It then sends a message to a second email address, blockchain[.]bitcoins2020@gmail[.]com politely and demurely signaling that
the implant is working.
Socket has warned all Python users running any of the packages in their environment to remove them immediately and rotate keys and credentials as needed.
The researchers also urged everyone to watch for unusual outbound
connections, especially SMTP traffic, and warned them not to trust a package just because it was a few years old.
"To protect your codebase, always verify package authenticity by checking download counts, publisher history, and GitHub repository links, they added.
Regular dependency audits help catch unexpected or malicious packages early. Keep strict access controls on private keys, carefully limiting who can view or import them in development. Use isolated, dedicated environments when testing third-party scripts to contain potentially harmful code.
Via BleepingComputer You might also like US government warns this popular
CMS software has a worrying security flaw Take a look at our guide to the
best authenticator app We've rounded up the best password managers
======================================================================
Link to news story:
https://www.techradar.com/pro/security/gmail-servers-hijacked-by-malicious-pyp i-packages-to-spread-havoc-heres-how-to-stay-safe
--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)