HQ/EMEAFind out how we can help your business
A malicious PyPi package called ‘pycord-self’ targets Discord developers to steal authentication tokens and deploy a backdoor for remote system control.
Researchers noticed that the software resembles the well-known’ discord.’ py-self package, which has approximately 28 million downloads and even functions as a legitimate project. The legitimate package is a Python library that communicates with Discord’s user API and allows developers to manage accounts dynamically.
It is commonly used for messaging and automating conversations, constructing Discord bots, scripting automated moderation, notifications, or responses, and executing commands or retrieving data from Discord without requiring a bot account.
The ‘pycord-self’ package has already amassed hundreds of downloads.
According to reports, the ‘pycord-self’ PyPi package was added in June 2024 and has already garnered nearly 900 downloads. The package was still available on PyPI from a publisher whose details had been validated by the platform as of this writing.
The researchers who examined the malicious package discovered that pycord-self contained code that performs two primary functions. One feature is forwarding the victim’s Discord authentication tokens to an external URL. Even if 2FA (https://staging.izoologic.com/glossary/what-is-two-factor-authentication-2fa/) is enabled, attackers can use the stolen token to obtain access to the developer’s Discord account without requiring access credentials.
The second function establishes persistence for its stealthy backdoor mechanism by maintaining a connection to a remote server via port 6969. Depending on the target’s OS, it runs a shell that gives the attacker continuous access to the victim’s PC.
The researchers also noted that the backdoor operates in a different thread. Hence, it is difficult to detect while the package functions normally.
Software developers should avoid installing packages without verifying the legitimacy and authenticity of their code and its author. Cybercriminals commonly use popular authors’ names to boost their popular ones’ legitimacy.
Additionally, some hackers use typosquatting tactics, so developers should verify the packages to avoid downloading malicious ones.
Devs should always analyse the code for questionable methods and avoid anything that appears obfuscated to avoid downloading dangerous packages.
