Cybersecurity researchers have recently identified malicious packages uploaded to the Python Package Index (PyPI) repository. These packages function as tools to verify stolen email addresses against TikTok and Instagram APIs, potentially facilitating further malicious activities.
The three identified packages—checker-SaGaF, steinlurks, and sinnercore—have been removed from PyPI. Before their removal, they had accumulated significant download counts:
– checker-SaGaF: 2,605 downloads
– steinlurks: 1,049 downloads
– sinnercore: 3,300 downloads
checker-SaGaF is designed to send HTTP POST requests to TikTok’s password recovery API and Instagram’s account login endpoints. By doing so, it determines whether a given email address is associated with an existing account on these platforms. This functionality allows threat actors to confirm the validity of email addresses, which can then be used for various malicious purposes, such as doxxing, spamming, conducting fake report attacks to suspend accounts, or launching credential stuffing and password spraying attacks. Validated user lists are also valuable commodities on the dark web, enabling and accelerating entire attack chains while minimizing detection by targeting known-valid accounts.
Similarly, steinlurks targets Instagram accounts by sending forged HTTP POST requests that mimic the Instagram Android app, thereby evading detection. It interacts with multiple API endpoints, including:
– `i.instagram.com/api/v1/users/lookup/`
– `i.instagram.com/api/v1/bloks/apps/com.bloks.www.caa.ar.search.async/`
– `i.instagram.com/api/v1/accounts/send_recovery_flow_email/`
– `www.instagram.com/api/v1/web/accounts/check_email/`
By exploiting these endpoints, steinlurks can verify the existence of Instagram accounts associated with specific email addresses, further aiding in the compilation of validated user lists for malicious use.
sinnercore focuses on triggering the forgot password flow for a given username by targeting the API endpoint `b.i.instagram.com/api/v1/accounts/send_password_reset/` with fake HTTP requests containing the target’s username. Additionally, sinnercore includes functionality targeting Telegram, such as extracting user information like name, user ID, bio, and premium status. It also offers crypto utilities, including real-time Binance price retrieval and currency conversions. Notably, it can fetch detailed information on any PyPI package, potentially aiding in the creation of fake developer profiles or impersonating legitimate developers.
The discovery of these packages underscores the ongoing threats within open-source ecosystems, where malicious actors exploit trusted platforms to distribute harmful code. Developers are urged to exercise caution when incorporating third-party packages into their projects. Implementing robust security practices, such as verifying the authenticity of packages, regularly updating dependencies, and monitoring for unusual activity, is essential to mitigate the risks associated with malicious software.
This incident highlights the importance of vigilance in the open-source community. By staying informed about emerging threats and adopting proactive security measures, developers can help safeguard their projects and users from potential exploitation.
