Malicious PyPI Package Targets Discord Developers with Token Theft and Backdoor Exploit

The Socket research team has identified a malicious Python package on PyPI named pycord-self, targeting developers working with Discord’s user API. By mimicking the legitimate and widely used package discord.py-self, the malicious package tricks unsuspecting users into downloading it, leading to token theft and the installation of a persistent backdoor.

The malicious package exploits a common technique known as typosquatting. By slightly altering the name of the legitimate package (discord.py-self), attackers deceive developers who might mistype or misidentify the intended library. According to Socket, the legitimate discord.py-self has been downloaded over 27.88 million times, while the fraudulent pycord-self had 885 downloads as of discovery.

“This typosquatting attack highlights why it’s crucial for developers to carefully evaluate dependencies before installing them,” the report warns.

Once installed, the malicious package exfiltrates Discord authentication tokens to a remote server and establishes a persistent backdoor connection. This allows attackers to gain unauthorized access to the victim’s Discord account and take complete control of their system.

The package exfiltrates Discord authentication tokens, granting attackers unauthorized access to victims’ Discord accounts. The malicious code sends the tokens to a remote URL (http://radium.lol:42069) via HTTP requests.

The package installs a backdoor that connects to a remote server at 45.159.223.177:6969. Depending on the operating system, it launches either a bash or cmd shell, allowing attackers continuous access to the victim’s system. The backdoor operates in a separate thread, making it harder to detect.

The primary victims are Python developers and Discord bot creators searching for user API libraries. As these individuals incorporate dependencies into their projects, the malicious package exploits their trust to execute its payload.

Related Posts:

• Malicious PyPI Packages Expose User Credentials
• Cybercriminals Increasingly Target Google, Microsoft, and Amazon in Sophisticated Phishing Schemes
• Cybercriminals Turn Discord into Malware Playground with Lumma Stealer
• Warning: Fake WinRar Websites Distributing Malware