Cybersecurity researchers have uncovered a dangerous malicious PyPI package posing as a Discord utility tool. The infected package, named discordpydebug, hides a fully operational remote access trojan (RAT) that can compromise systems and steal sensitive data.
Uploaded to the Python Package Index (PyPI) on March 21, 2022, the package has remained active with no updates and has been downloaded over 11,000 times. Despite its suspicious activity, it’s still available on the registry.
A Discord Tool That Isn’t What It Seems
At first glance, discordpydebug appears to be a helpful module for developers using the Discord.py library. However, researchers at Socket discovered that the package secretly installs a trojan capable of executing a wide range of harmful tasks.
Once installed, the package communicates with an external server — “backstabprotection.jamesx123.repl[.]co.” Through this connection, it can execute shell commands and read or modify arbitrary files on the infected system.
In simple terms, this trojan can:
- Steal tokens and configuration files
- Alter or delete system data
- Download and install other malicious programs
- Run shell commands to exfiltrate sensitive information
Bypassing Security with Stealth
According to the Socket Research Team, the malware’s design is deceptively simple. It doesn’t include features like persistence or privilege escalation, but that doesn’t make it any less dangerous.
The RAT uses outbound HTTP polling instead of inbound connections, allowing it to slip past traditional firewalls and monitoring tools. This makes it especially effective in less secure environments like local development systems.
This discovery comes alongside another worrying trend. Socket has identified over 45 malicious npm packages masquerading as trusted libraries from Python, Java, and .NET ecosystems. These typosquatting attacks include:
- beautifulsoup4 (mimicking Python’s BeautifulSoup)
- apache-httpclient (copying Apache HttpClient for Java)
- opentk (imitating OpenTK for .NET)
- seaborn (cloning the popular Python data visualization tool)
These npm packages use similar infrastructure and obfuscated code. They’re all designed to evade security scans, steal data, and maintain access to affected machines. Despite different names and maintainers, they all link back to a single threat actor.
This campaign highlights the growing risk of malicious PyPI packages and software supply chain attacks. Developers must stay vigilant when downloading packages and check for unusual activity. As always, keeping dependencies updated and verified is critical to maintaining security.
