BleepingComputer reports that security researchers have uncovered seven malicious Python Package Index packages leveraging Gmail's SMTP servers and encrypted WebSocket connections to exfiltrate data and execute remote commands on infected systems.
The packages, which were discovered by Socket's threat intelligence team, operate under deceptive names such as Coffin-Codes-Pro and Coffin-Codes-2022 and collectively accounted for tens of thousands of downloads, with one exceeding 18,000. The packages mimic the legitimate Coffin module used with Jinja2 and Django to evade detection. The malicious code employed hardcoded Gmail credentials to transmit system reconnaissance data, evading firewall and endpoint detection by appearing as routine Gmail activity. It then initiated persistent, encrypted tunnels using WebSockets over SSL to facilitate shell command execution, internal system access, credential harvesting, and lateral movement. In a parallel discovery, Sonatype researcher Ax Sharma identified a malicious npm package, crypto-encrypt-ts, which targeted cryptocurrency wallets by stealing environment variables and private keys from systems with high-value balances. This package impersonated the outdated CryptoJS library and maintained persistence using scheduled cron jobs before its removal from the npm registry. Users who may have installed these packages are advised to uninstall them immediately and rotate any associated credentials. Indicators of potential cryptocurrency theft were also observed in associated email metadata.
The packages, which were discovered by Socket's threat intelligence team, operate under deceptive names such as Coffin-Codes-Pro and Coffin-Codes-2022 and collectively accounted for tens of thousands of downloads, with one exceeding 18,000. The packages mimic the legitimate Coffin module used with Jinja2 and Django to evade detection. The malicious code employed hardcoded Gmail credentials to transmit system reconnaissance data, evading firewall and endpoint detection by appearing as routine Gmail activity. It then initiated persistent, encrypted tunnels using WebSockets over SSL to facilitate shell command execution, internal system access, credential harvesting, and lateral movement. In a parallel discovery, Sonatype researcher Ax Sharma identified a malicious npm package, crypto-encrypt-ts, which targeted cryptocurrency wallets by stealing environment variables and private keys from systems with high-value balances. This package impersonated the outdated CryptoJS library and maintained persistence using scheduled cron jobs before its removal from the npm registry. Users who may have installed these packages are advised to uninstall them immediately and rotate any associated credentials. Indicators of potential cryptocurrency theft were also observed in associated email metadata.
