11 Malicious Python Packages Downloaded Over 41,000 Times Caught Stealing Tokens & Passwords

The security engineers of the Python Package Index (PyPI) have recently detected 11 malicious Python packages that were downloaded more than 41,000 times, and these malicious Python packages were used by the threat actors to steal access tokens and passwords.

But luckily all these 11 malicious Python packages were removed by them since it is the official third-party software closet for Python.


These libraries have stolen user data that include Discord tokens as well as passwords. After that, it generally installed shells on victims’ systems so that the threat actors can easily access the system of the victim.

Reported Packages

Here we have mentioned all the reported packages that were removed:-

  • importantpackage/important-package – Downloaded 6305/12897 times
  • pptest – Downloade 10001 times
  • ipboards – Downloade 946 times
  • owlmoon – Downloade 3285 times
  • DiscordSafety – Downloade 557 times
  • trrfab – Downloade 287 times
  • 10Cent10/10Cent11 – Downloade 490/490 times
  • yandex-yt – Downloade 4183 times
  • yiffparty – Downloade 1859 times

A powerful vector

The threat actors generally target package managers, as its keeps growing and are one of the powerful vectors for accidental installation. But with these new 11 malicious packages, the operators noticed that the threat actors are becoming more complex with their every operation. 

Novel exfiltration or even DNS tunneling, that is the most advanced as well as one of the tricky methods that are used in these malware packages. But luckily, the operators of the PyPI have detected all the 11 malicious Python packages.

Abusing CDN TLS termination

In order to hide the communications with the C2 server the very first method that is used, Fastly CDN. However, the Fastly CDN host uses the Varnish transparent HTTP proxy to hide the communication that has been done between clients and the backend. 

This whole process keeps repeating, and once it’s fixed it does all its work by itself in the reverse direction. However, this process generally allows the malware to copy the duplex communication along with PyPI

owlmoon & DiscordSafety – Trojans that Hijack Discord Tokens

Here, most of these malicious packages are generally based on very famous open-source “stealer utilities,” and it has been noted that it hides the malicious code as a dependency. 

However, its also being cleared that the malware has two parts, and here they are mentioned below:-

  • One is a malicious package that generally steals tokens and is quite easy to identify.
  • Another one is the “legitimate” package, which is installed through typosquatting or dependency confusion, and it does not include any malicious functionality. 

While it’s true that they have detected all the 11 malicious Python packages, but there are a lot more to know about these type of malicious package.

But, this kind of malicious packagers is getting more sophisticated, and it’s becoming a threat for PyPI. That’s why developers need to take extra care so that they must be alerted by this kind of attack.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.