Python Packages Attempting to Steal Discord Tokens, Credit Card Numbers


Staff member
Malware Hunter
Jul 27, 2015
The operators of the Python Package Index (PyPI), the official repository for Python components, have removed eight libraries this week that contained malicious code.

Discovered by the JFrog security team, formerly known as VDOO, the eight packages can be grouped into two categories based on the malicious operations they performed. Two of the eight allowed a remote attacker to run malicious commands on a victim’s device by making the infected host connect to an attacker’s IP address on TCP port 9009, and then execute any malicious Python code provided by this server. The other six PyPI packages worked primarily as stealers. Once installed on a developer’s computer, they collected data from the infected host with a focus on general system information, Discord tokens (scraped from predetermined disk locations), and payment card information (extracted from locally installed browsers such as Google, Opera, Brave, and Yandex).

Based on statistics gathered through third-party service Pepy, the JFrog team said the eight libraries were downloaded more than 30,000 before being removed from the PyPI portal. An in-depth technical report about each library’s technical capabilities is available on the JFrog blog.

This week’s incident is also not that out of the ordinary. Malicious packages make it on the official PyPI repository on a regular basis, along with the official repositories of many other programming languages. For example, security researchers previously discovered malicious PyPI packages that contained a hidden backdoor targeting Linux systems, PyPI packages that opened reverse shells on infected hosts, and PyPI packages that stole SSH and GPG keys. Furthermore, Discord tokens have also been at the center of incidents on the npm (JavaScript) repository at least on two different occasions.


Level 16
May 4, 2019
PyPI Python Package Repository Patches Critical Supply Chain Flaw
The maintainers of Python Package Index (PyPI) last week issued fixes for three vulnerabilities, one among which could be abused to achieve arbitrary code execution and take full control of the official third-party software repository.

The security weaknesses were discovered and reported by Japanese security researcher RyotaK, who in the past has disclosed critical vulnerabilities in the Homebrew Cask repository and Cloudflare's CDNJS library. He was awarded a total of $3,000 as part of the bug bounty program.