
Socket analysts reported their findings to the Python Package Index (PyPI), and malicious packages were removed from it. However, some of them had been present on PyPI for more than four years, and one package was downloaded more than 18,000 times.
Malware was identified in the following packages:
- Coffin-Codes-Pro (9000 downloads);
- Coffin-Codes-NET2 (6200 downloads);
- Coffin-Codes-NET (6100 downloads);
- Coffin-Codes-2022 (18,100 downloads);
- Coffin2022 (6500 downloads);
- Coffin-Grave (6500 downloads); and
- cfc-bsb (2900 downloads).
The malicious Coffin packages pose as the legitimate Coffin adapter that integrates Jinja2 templates into Django projects.
Their malicious functionality includes covert remote access and data exfiltration via Gmail.
The packages use hardcoded credentials to log into the Gmail SMTP server (smtp.
) and transmit information collected on victim hosts to their operators, thus, enabling them to remotely access compromised systems. Since Gmail is a trusted resource, firewalls and EDR systems are unlikely to consider such activity suspicious.
After sending the stolen data by email, the malware connects to the remote server over SSL using WebSocket and receives instructions on setting up an encrypted bidirectional tunnel from the host to the attacker.
Using the Client class, the malware tunnels traffic from the remote host to the local system to provide access to the internal admin panel and API and perform such operations as file transfer, email theft, execution of shell commands, collection of credentials, and lateral movement.
Based on the email addresses used (e.g. blockchain.
), Socket analysts conclude that the primary purpose of the malicious packages is to steal cryptocurrency, especially taking that similar tactics were previously used to steal Solana private keys.

2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…
Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'
A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →