Malicious Python Package "discordpydebug" Found to Contain Remote Access Trojan

Cybersecurity researchers have identified a malicious package on the Python Package Index (PyPI) named discordpydebug, which disguises itself as a helpful tool for Discord bot development. Upon closer inspection, however, it was found to include a fully functional Remote Access Trojan (RAT), capable of exfiltrating sensitive data and executing commands remotely.

What Is discordpydebug?

The package discordpydebug was uploaded to PyPI on March 21, 2022, and has since been downloaded over 11,500 times. Although it poses as a development utility for Discord.py, a popular Python library for building Discord bots, it hides malicious intent behind its seemingly legitimate name and function.

The package has not been updated since its upload and remains publicly available on PyPI at the time of analysis.

Technical Analysis

According to the Socket Research Team, the package:

• Initiates a connection to an external server:
  backstabprotection.jamesx123.repl[.]co

• Listens for commands such as:

  • readfile: Reads and transmits arbitrary file content from the victim's system.

  • writefile: Creates or overwrites files.

  • Shell commands: Executes arbitrary code remotely.

Capabilities

• Data Exfiltration: Can access sensitive local files including tokens, configuration files, and credentials.

• Command Execution: Allows attackers to run shell commands on infected systems.

• Payload Delivery: Has the potential to download and run additional malware.

• Firewall Evasion: By using outbound HTTP polling instead of inbound connections, the malware can bypass most traditional firewall and monitoring setups, especially in loosely secured development environments.

While the RAT does not include advanced features like persistence mechanisms or privilege escalation, its minimalist and unobtrusive nature makes it dangerous—especially in development environments where code may later be promoted to production.

Broader Supply Chain Threat

The discovery of discordpydebug aligns with a larger campaign recently uncovered by Socket, involving over 45 malicious packages uploaded to the npm registry. These packages impersonate well-known libraries from various ecosystems in a tactic known as typosquatting, where slight misspellings or name similarities are used to trick developers into downloading them.

Examples of npm Typosquatting Attacks

All packages in this campaign:

• Share a common IP address

• Use similar obfuscation techniques

• Are maintained by accounts that appear unrelated but likely belong to a single coordinated threat actor

Malicious Behavior Observed

• Code obfuscation to avoid detection

• Script execution with system-level access

• Data theft and remote control

• Persistent infection mechanisms on compromised systems

Recommendations for Developers

Given the rise in software supply chain attacks:

1. Verify Packages Carefully: Always double-check the spelling and source of any library you install.

2. Use Dependency Scanning Tools: Tools like Socket, [npm audit], or [pip-audit] can identify suspicious behavior.

3. Isolate Development Environments: Avoid running development environments with unnecessary permissions or access to sensitive files.

4. Monitor Network Behavior: Outbound polling to unknown domains should be flagged and reviewed.

Conclusion

The discovery of discordpydebug and the broader campaign of impersonating popular open-source packages highlights the ongoing threat posed by supply chain attacks. With minimal code changes, malicious actors can infiltrate development environments, exfiltrate data, and deploy malware. Developers and organizations must take proactive steps to validate dependencies and monitor for anomalous activity.