PyPi Packages Steal Data, Pretend to be Roblox and Discord

Researchers found a new way to turn a Discord client into a password-stealing program for web browsers and Roblox. A dozen malicious PyPi packages were posted by a user named “scarycoder” on open source Python repository “pypi.org.” Researchers at Snyk discovered the post and claimed that the containers could modify Discord clients, making them capable of stealing passwords and login details from internet browsers.

The package was posted on August 1, 2022, and contains file names such as “rbxtool,” “cyphers,” “pippytest,” and more. Under each package, the uploader mentioned its uses and descriptions, and among the 12 posted PyPi packages, the last three had descriptions as “a very basic hacking module.”

More than Python packages

According to researchers at Snyk, the package pretended to be Roblox tools and basic hacking modules. However, upon opening them, it was revealed that the 12 PyPi packages didn’t provide anything of that sort. Instead, these packages install password-stealing malware on the target devices.

Upon revealing these packages by different media outlets, the user “scarycoder” removed them from the open source repository. The user now has only blank folders on the page, and a 404-error code appears upon clicking them.

Moreover, when the files were live on the platform, the Boston-based cybersecurity company analyzed the files uploaded by the user “scarycoder.” The company shared its detailed incident report and explained how these 12 packages stole information from users.

Snyk explains how PyPi packages work

According to Snyk’s post on August 16, 2022, the team’s recent research found 12 unique pieces of malware on an open-source forum pretending to be Roblox tools and basic hacking modules. The malware used Discord to avoid detection while infiltrating Windows machines and executing malicious executable files.

The PyPi packages used PyInstaller to bundle a malicious application within each package while making its dependencies into the same file. Using PyInstaller helped the malicious application avoid detection and bundled the dependencies instead of downloading them from a remote server — thus making a ready-to-open executable file without needing an interpreter.

How does malware steal data from users?

Though there has been no report by the company or anyone whose data has been stolen, the researchers at Snyk have already verified the malware and how it works. According to the report, the malware targets passwords, login details, and stored data on web browsers. Once executed, it attempts to steal data from browsers such as Google Chrome and uses it to pivot through users’ accounts.

Additionally, this malware can exfiltrate Discord tokens by injecting malicious code. The code-named “Discord Injector” then fetches an alarming amount of information from the target’s device. It can also skim credit card details if users enter their data after the injector is loaded into the system.