HomeCyber Balkans7 Malicious PyPI Packages Abuse Gmail’s SMTP Protocol to Execute Malicious Commands

7 Malicious PyPI Packages Abuse Gmail’s SMTP Protocol to Execute Malicious Commands

Published on

spot_img


A highly advanced software supply chain attack has been uncovered, which exploits Python Package Index (PyPI) repositories to spread malware. This attack uses Google’s SMTP infrastructure as a covert command-and-control (C2) channel.

The campaign distributed seven malicious packages—Coffin-Codes-Pro, Coffin-Codes-NET2, Coffin-Codes-NET, Coffin-Codes-2022, Coffin2022, Coffin-Grave, and cfc-bsb—which collectively exceeded 55,000 downloads before being taken down.

Advanced Communication Method

These malicious packages establish an SMTP connection to Gmail’s servers using embedded credentials. Through this, a two-way communication tunnel is formed, allowing attackers to run remote commands and extract data from compromised systems.

This method is particularly stealthy, as SMTP traffic typically bypasses firewall and endpoint defenses due to its appearance as normal outbound email communication.

The Coffin-Codes-Pro package exemplifies this attack.

Once the initial SMTP connection is made, the malware initiates a WebSocket connection, which acts as the primary command-and-control channel.

Long-Term Development

Based on PyPI metadata, this attack has been in development for over three years. The earliest known package, cfc-bsb, was published in March 2021. Although it lacks email-based exfiltration, it demonstrates suspicious WebSocket tunneling, resembling tools like Ngrok.

Subsequent versions improve the technique, consistently using Gmail’s SMTP port 465, while changing only the login credentials. All versions communicate with a fixed email address: blockchain.bitcoins2020@gmail.com.

Threat Capabilities

These malicious packages could allow attackers to:

  • Access restricted dashboards, APIs, and admin interfaces

  • Upload/download files and execute shell commands

  • Capture credentials and other sensitive information

  • Maintain persistent access to the victim’s environment

A report by Socket shared with Cyber Security News notes that such tactics were previously used to steal Solana private keys, indicating that cryptocurrency theft may be a core objective, supported by the use of “blockchain” in communication identifiers.

Security Recommendations

Experts advise organizations to:

  • Monitor for unexpected SMTP traffic, particularly outbound connections

  • Validate package authenticity via download trends and publisher reputation

  • Perform regular dependency and supply chain audits

  • Apply strict access controls to critical internal systems

  • Test third-party code in isolated environments

These findings reinforce a broader pattern of supply chain attacks on public repositories. To mitigate such risks, tools like the Socket GitHub app, CLI, and browser extension can help identify malicious or typosquatted packages before they are integrated into projects.

Though the malicious packages have now been removed from PyPI, the underlying techniques represent a continuously evolving threat. Security teams are urged to monitor for similar activities, especially those aligning with MITRE ATT&CK technique T1102.002 (Web Service: Bidirectional Communication).

REF:https://cybersecuritynews.com/gmails-smtp-protocol-abused/



Source link

Latest articles

Securing Telecoms in the Age of AI and Critical Infrastructure

 As we reflect on World Telecommunication and Information Society Day (WTISD) 2025, marked...

The VPN You Shouldn’t Have Downloaded

Source : The Hacker NewsA sophisticated malware campaign has emerged, leveraging counterfeit VPN...

Even Resilient Organizations Are Blind to AI Threats

Organizations are underestimating the advanced technology's risks to the software supply chain, according...

Russian Hackers Target Western Firms Aiding Ukraine

 Russian Hackers Target Western Firms Aiding Ukraine By: G.K Date: May 21, 2025 Introduction: A Cyber...

More like this

Securing Telecoms in the Age of AI and Critical Infrastructure

 As we reflect on World Telecommunication and Information Society Day (WTISD) 2025, marked...

The VPN You Shouldn’t Have Downloaded

Source : The Hacker NewsA sophisticated malware campaign has emerged, leveraging counterfeit VPN...

Even Resilient Organizations Are Blind to AI Threats

Organizations are underestimating the advanced technology's risks to the software supply chain, according...