A highly advanced software supply chain attack has been uncovered, which exploits Python Package Index (PyPI) repositories to spread malware. This attack uses Google’s SMTP infrastructure as a covert command-and-control (C2) channel.

The campaign distributed seven malicious packages—Coffin-Codes-Pro, Coffin-Codes-NET2, Coffin-Codes-NET, Coffin-Codes-2022, Coffin2022, Coffin-Grave, and cfc-bsb—which collectively exceeded 55,000 downloads before being taken down.

Advanced Communication Method

These malicious packages establish an SMTP connection to Gmail’s servers using embedded credentials. Through this, a two-way communication tunnel is formed, allowing attackers to run remote commands and extract data from compromised systems.

This method is particularly stealthy, as SMTP traffic typically bypasses firewall and endpoint defenses due to its appearance as normal outbound email communication.

The Coffin-Codes-Pro package exemplifies this attack.

Once the initial SMTP connection is made, the malware initiates a WebSocket connection, which acts as the primary command-and-control channel.

Long-Term Development

Based on PyPI metadata, this attack has been in development for over three years. The earliest known package, cfc-bsb, was published in March 2021. Although it lacks email-based exfiltration, it demonstrates suspicious WebSocket tunneling, resembling tools like Ngrok.

Subsequent versions improve the technique, consistently using Gmail’s SMTP port 465, while changing only the login credentials. All versions communicate with a fixed email address: blockchain.bitcoins2020@gmail.com.

Threat Capabilities

These malicious packages could allow attackers to:

• Access restricted dashboards, APIs, and admin interfaces

• Upload/download files and execute shell commands

• Capture credentials and other sensitive information

• Maintain persistent access to the victim’s environment

A report by Socket shared with Cyber Security News notes that such tactics were previously used to steal Solana private keys, indicating that cryptocurrency theft may be a core objective, supported by the use of “blockchain” in communication identifiers.

Security Recommendations

Experts advise organizations to:

• Monitor for unexpected SMTP traffic, particularly outbound connections

• Validate package authenticity via download trends and publisher reputation

• Perform regular dependency and supply chain audits

• Apply strict access controls to critical internal systems

• Test third-party code in isolated environments

These findings reinforce a broader pattern of supply chain attacks on public repositories. To mitigate such risks, tools like the Socket GitHub app, CLI, and browser extension can help identify malicious or typosquatted packages before they are integrated into projects.

Though the malicious packages have now been removed from PyPI, the underlying techniques represent a continuously evolving threat. Security teams are urged to monitor for similar activities, especially those aligning with MITRE ATT&CK technique T1102.002 (Web Service: Bidirectional Communication).

REF:https://cybersecuritynews.com/gmails-smtp-protocol-abused/