The Socket Research team investigates a malicious Python package disguised as a Discord error logger that executes remote commands and exfiltrates data via a covert C2 channel.
On March 21, 2022, a Python package ‘discordpydebug’ was uploaded to the Python Package Index (PyPI) under the name "Discord py error logger." At first glance, it appeared to be a simple utility aimed at developers working on Discord bots using the Discord.py library. However, the package concealed a fully functional remote access trojan (RAT). Over time, the package reached over 11,000 downloads, placing thousands of developer systems at risk.

The package targeted developers who build or maintain Discord bots, typically indie developers, automation engineers, or small teams who might install such tools without extensive scrutiny. Since PyPI doesn’t enforce deep security audits of uploaded packages, attackers often take advantage of this by using misleading descriptions, legitimate-sounding names, or even copying code from popular projects to appear trustworthy. In this case, the goal was to lure unsuspecting developers into installing a backdoor disguised as a debugging aid.

Discord’s developer ecosystem is both massive and tightly knit. With over 200 million monthly active users, more than 25% of whom interact with third-party apps, Discord has rapidly evolved into a platform where developers not only build but also live test, share, and iterate on new ideas directly with their users. Public and private servers dedicated to development topics foster an informal, highly social culture where tips, tools, and code snippets are shared freely and often used with little scrutiny. It’s within these trusted peer-to-peer spaces that threat actors can exploit social engineering tactics, positioning themselves as helpful community members and promoting tools like discordpydebug under the guise of debugging utilities.

The fact that this package was downloaded over 11,000 times, despite having no README or documentation, highlights how quickly trust can be weaponized in these environments. Whether spread via casual recommendation, targeted DMs, or Discord server threads, such packages can gain traction before ever being formally vetted.

Socket’s Threat Research Team uncovered malicious Python packages designed to create a tunnel via Gmail. The threat actor’s email is the only potential clue as to their motivation, but once the tunnel is created, the threat actor can exfiltrate data or execute commands that we may not know about through these packages. These seven packages:

Coffin-Codes-Pro
Coffin-Codes-NET2
Coffin-Codes-NET
Coffin-Codes-2022
Coffin2022
Coffin-Grave
cfc-bsb
use Gmail, making these attempts less likely to be flagged by firewalls and endpoint detection systems since SMTP is commonly treated as legitimate traffic.

These packages have since been removed from the Python Package Index (PyPI).

Learn how JFrog detected a malicious package that steals MEXC credentials and crypto trading tokens to buy and sell futures on crypto trading platforms.

For the first time, RL researchers discover malicious locally-installed npm packages infecting other legitimate packages.

This blog post looks into how 62 malicious extensions circumvent Google’s restrictions of remote code execution in extensions. One group of extensions is associated with the company Phoenix Invicta, another with Technosense Media. The largest group around Sweet VPN hasn’t been attributed yet.

To avoid compromised packages being introduced as a dependency in a larger project, security teams need to keep an eye peeled for such malicious code.

The scourge of “malvertising” is nothing new, but the tactic is still so effective that it's contributing to the rise of investment scams and the spread of new strains of malware.

Yesterday, Phylum's automated risk detection platform discovered that the PyPI package aiocpa was updated to include malicious code that steals private keys by exfiltrating them through Telegram when users initialize the crypto library. While the attacker published this malicious update to PyPI, they deliberately kept the package's GitHub repository clean

A new campaign has targeted the npm package repository with malicious JavaScript libraries that are designed to infect Roblox users with open-source stealer malware such as Skuld and Blank-Grabber.

"This incident highlights the alarming ease with which threat actors can launch supply chain attacks by exploiting trust and human error within the open source ecosystem, and using readily available commodity malware, public platforms like GitHub for hosting malicious executables, and communication channels like Discord and Telegram for C2 operations to bypass traditional security measures," Socket security researcher Kirill Boychenko said in a report shared with The Hacker News.

Since mid-September 2024, our telemetry has revealed a significant increase in “Lumma Stealer”1 malware deployments via the “HijackLoader”2 malicious loader.

On October 2, 2024, HarfangLab EDR detected and blocked yet another HijackLoader deployment attempt – except this time, the malware sample was properly signed with a genuine code-signing certificate.

In response, we initiated a hunt for code-signing certificates (ab)used to sign malware samples. We identified and reported more of such certificates. This report briefly presents the associated stealer threat, outlines the methodology for hunting these certificates, and providees indicators of compromise.

Emails, documents, and other untrusted content can plant malicious memories.

Pidgin is a universal chat client, allowing you to consolidate all your different messaging apps into a single tool.

Chinese hacking group Evasive Panda compromises ISP to push malware, targeting companies through DNS poisoning and insecure update mechanisms.

In mid-April 2024, Trellix Advanced Research Center team members observed multiple fake AV sites hosting highly sophisticated malicious files such as APK, EXE and Inno setup installer that includes Spy and Stealer capabilities. Hosting malicious software through sites which look legitimate is predatory to general consumers, especially those who look to protect their devices from cyber-attacks. The hosted websites made to look legitimate are listed below.

Automation is making attacks on open source code repositories harder to fight.

A malicious ad for the popular admin tool PuTTY leads victims to a fake site that downloads malware.

GitHub keeps removing malware-laced repositories, but thousands remain.

Guardio Labs uncovers a sprawling campaign of subdomain hijacking, compromising already over 8,000 domains from esteemed brands and institutions, including MSN, VMware, McAfee, The Economist, Cornell University, CBS, Marvel, eBay and others. This malicious activity, dubbed “SubdoMailing”, leverages the trust associated with these domains to circulate spam and malicious phishing emails by the Millions each day, cunningly using their credibility and stolen resources to slip past security measures.

In our detailed analysis, we disclose how we detected this extensive subdomain hijacking effort, its mechanisms, its unprecedented scale and the main threat actor behind it. Furthermore, we developedthe “SubdoMailing” checker — a website designed to empower domain owners to reclaim control over their compromised assets and shield themselves against such pervasive threats. This report not only sheds light on the magnitude of the issue but also serves as a call to action for enhancing domain security against future exploits.

We terminated accounts associated with state-affiliated threat actors. Our findings show our models offer only limited, incremental capabilities for malicious cybersecurity tasks.

Did you download Warbeast2000 or Kodiak2k from npm? If so, your SSH keys might be compromised! These packages steal keys & upload them to GitHub.