Ddos 
In a detailed technical report, Socket’s Threat Research Team uncovered seven malicious Python packages published to the Python Package Index (PyPI), each designed to establish Gmail-based command-and-control (C2) tunnels, effectively bypassing security tools.
The packages—including Coffin-Codes-Pro, Coffin-Codes-NET2, Coffin-Codes-NET, Coffin-Codes-2022, Coffin2022, Coffin-Grave, and cfc-bsb—were found to establish outbound tunnels from infected machines using Gmail’s SMTP infrastructure. This tactic allows them to slip past firewalls and endpoint defenses that typically trust outbound email traffic.
“Once the tunnel is created, the threat actor can exfiltrate data or execute commands that we may not know about through these packages,” the Socket team warns.
The most alarming variant, Coffin-Codes-Pro, connects to Gmail’s SMTP server using hardcoded credentials (sphacoffin@gmail.com) and sends confirmation emails to another address, blockchain.bitcoins2020@gmail.com, effectively acknowledging the implant’s success.
“It then receives a message containing tunnel port instructions and emails the public_server_port to the original email,” the researchers noted.
After this exchange, the package establishes a WebSocket tunnel and spins up a TCP forwarder—allowing remote attackers to interact with services behind NATs or firewalls with full duplex communication.
Interestingly, each successive package version shows slight variations in email accounts and port-handling behavior but follows the same overarching architecture. Some use different Gmail credentials like hackingbsb@gmail.com or btcchain2@gmail.com. One of the earliest packages, cfc-bsb, lacks direct exfiltration functionality but retains suspicious tunneling capabilities that mimic tools like ngrok.
“These traits enable abuse for remote access, data smuggling, or botnet communication, and constitute a security risk even in the absence of exfiltration code,” the researchers explained.
While the hardcoded email addresses suggest links to cryptocurrency-related motives, the broader threat extends far beyond digital wallets. Attackers could use these tunnels to access internal dashboards, APIs, admin panels, and even execute scripts or shell commands.
“Previously, threat actors used this tactic to siphon private keys to Solana… but the attacker could pivot further into the network.”
Socket offers the following key defenses:
- Monitor outbound SMTP traffic for anomalies, even to trusted services like Gmail.
- Avoid assuming trustworthiness based on package age or download count.
- Audit dependencies regularly, verify GitHub links, and restrict access to sensitive assets.
- Use sandboxed environments when testing unknown or third-party packages.
Donate