In a recent cybersecurity development, researchers have identified a malicious package on the Python Package Index (PyPI) repository, named ‘discordpydebug’. This package, masquerading as a legitimate Discord-related utility, has been downloaded over 11,500 times since its upload on March 21, 2022. Alarmingly, it remains available on the open-source registry without any updates since its initial release.
At first glance, ‘discordpydebug’ appears to be a simple tool designed for developers working on Discord bots using the Discord.py library. However, upon closer examination, it conceals a fully functional remote access trojan (RAT). Once installed, the package establishes a connection to an external server and includes features that allow it to read and write arbitrary files based on commands received from the server. Additionally, the RAT supports the execution of shell commands, enabling it to read sensitive data such as configuration files, tokens, and credentials, tamper with existing files, download additional payloads, and run commands to exfiltrate data.
The simplicity of ‘discordpydebug’ makes it particularly effective. Its use of outbound HTTP polling, rather than inbound connections, allows it to bypass most firewalls and security monitoring tools, especially in less tightly controlled development environments.
This discovery underscores the importance of vigilance when downloading and installing packages from open-source repositories. Developers are advised to thoroughly vet packages and their maintainers, and to rely on well-established and reputable sources. Regularly updating and monitoring dependencies can also help mitigate the risk of introducing malicious code into projects.
