Dangerous malware hidden in a fake Python package called discordpydebug.
This package was uploaded to the PyPI repository in March 2022. Since then, it has been downloaded more than 11,500 times. At first, it appeared to help developers working with Discord bots. However, it actually contained a remote access trojan (RAT).
The malware connects to an external server and accepts commands to read or write files. It can also run shell commands to steal data. For example, it may access config files, credentials, or tokens and send them to the attacker.
The remote access tool hides its activity using simple code. This simplicity helps it avoid detection. Because it uses outbound HTTP polling, it bypasses most firewalls and many monitoring systems. Interestingly, the code does not try to gain higher permissions or stay on the system after reboot. However, the fact that it’s lightweight makes it more dangerous in poorly secured environments.
Researchers also discovered over 45 similar malicious packages. These are typosquats—fake versions of popular libraries from other ecosystems. Some examples include beautifulsoup4, apache-httpclient, and seaborn.
All these packages share the same features: obfuscated code, the same infrastructure, and suspicious IP addresses. Therefore, it’s likely that one group or person created the entire campaign.
The goal is to trick developers into installing these tools. Once installed, the tools can steal sensitive data, run scripts, and even maintain a foothold on the system.
How to Stay Safe from Malicious Packages
To avoid falling victim, always verify packages before installing them. Check the upload date, number of downloads, and official documentation.
Avoid using packages with no updates or those that mimic the names of popular tools. Enable strict firewall rules and monitor outbound connections in development environments.
Additionally, use tools that scan for suspicious code in your dependencies. Education and caution remain the best defenses against supply chain attacks.
Sleep well, we got you covered.
