Cybersecurity researchers at Socket have uncovered a significant security threat in the Python Package Index (PyPI), identifying a malicious package named “automslc” that has accumulated over 100,000 downloads since 2019. The package has been specifically designed to bypass Deezer’s security measures, enabling unauthorized access to protected content on the popular music streaming platform that serves users across 180 countries.
Technical Analysis of the Malicious Package
The investigation reveals that automslc operates through a sophisticated mechanism involving hardcoded credentials for Deezer’s platform. The package establishes authenticated sessions with Deezer’s API, either using these embedded credentials or allowing users to input their own authentication details. This dual-authentication approach demonstrates the attacker’s strategic implementation to maximize the package’s reach and effectiveness.
Once authentication is achieved, the package executes a series of unauthorized operations, including extraction of track metadata and special decryption tokens. Of particular concern is the exploitation of Deezer’s MD5_ORIGIN token, which is crucial for generating secure URLs. The package leverages internal API calls to circumvent Deezer’s standard preview restrictions, enabling full audio file downloads.
Security Implications and Infrastructure Abuse
While the package’s primary function appears to focus on unauthorized music acquisition, Socket’s analysis reveals more concerning security implications. The implementation of a Command and Control (C&C) infrastructure suggests sophisticated operational capabilities that extend beyond simple content piracy. This infrastructure could potentially be leveraged for coordinated cyberattacks or creating distributed attack networks.
Threat Actor Profile and Operational Patterns
The package maintainer, operating under the aliases “hoabt2” and “Thanh Hoa,” demonstrates active engagement in monitoring and coordinating user activities. This behavior pattern indicates a well-organized operation rather than a casual exploit attempt. Security analysts have identified this as a high-risk indicator for potential escalation to more severe forms of cyber attacks.
The cybersecurity community faces a critical challenge as this package remains available on PyPI, presenting an ongoing threat to both individual users and organizational security. This incident highlights the crucial importance of implementing robust dependency scanning practices and maintaining vigilant security protocols when utilizing open-source packages. Organizations are strongly advised to conduct thorough security audits of their Python dependencies and implement automated vulnerability scanning tools to detect and prevent similar security breaches. The continued availability of such malicious packages in public repositories emphasizes the need for enhanced security measures and more stringent package verification processes in the open-source ecosystem.
